...
Recursive calling vulnerability or race to empty is is the kind of attack seen on Friday 2016-06-17. Here is what happens:
The attacker exploits the fact that when a contract sends ether to another contract it also executes the code in the destination contract. If the destination contract is malicious, it could try to ask the first contract to send the money again. If the first contract does not update the balances before sending, the attacker is allowed to withdraw several times a single amount
The process is draining the ether contained in the DAO into a child DAO.
...