Wallet Withdraw

Race-Condition Balance

The withdraw flow reads the balance, decides if the request is allowed, then writes — without a transaction or row lock — so two concurrent requests both see funds and both succeed.

CWE-362CWE-367
Back to hub Reload scenario
Race probe 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Balance read and write are not atomic.
  • No `SELECT ... FOR UPDATE` or transaction around the operation.
  • Idempotency keys are accepted but not actually enforced.
    • 
        

      


      

        
Primary Flows

        
    
          
          
  • 
            Withdraw
            POST repeated requests, both win
          
    • 
          
          
  • 
            Ledger
            Shows over-withdrawn balance
          
    • 
          
        

      


      

        
Signals

        
        

          
Bug

          
bal := db.Get(acct); if bal >= amount { db.Set(acct, bal-amount) }  // TOCTOU

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.