BugForge - Daily - Shady Oaks Finance (Repeat)
BugForge - Daily - Shady Oaks Finance (Repeat)
Daily - Shady Oaks Finance (Repeat)
This is a repeat of the daily challenge from January 23rd, 2026.
Vulnerability Overview
The Shady Oaks Finance application contains a TOCTOU (Time-of-Check Time-of-Use) race condition in the currency conversion endpoint. Balance verification and balance deduction are not performed as atomic operations. When multiple concurrent requests target the /api/convert-currency endpoint simultaneously, they all read the same account balance before any deductions are applied, allowing each request to proceed as if sufficient funds are available. By using Caido’s Automate tool with 50 concurrent workers, the time window between balance verification and balance deduction can be exploited to perform currency conversions far exceeding the actual available funds.
Key Issues:
- Balance verification and balance deduction occur as separate, non-atomic operations
- No database-level locking or transactional isolation is applied during currency conversions
- Concurrent requests can all read the same balance before any writes occur, bypassing balance constraints
Vulnerabilities Covered
- Race Condition / Time-of-Check Time-of-Use (TOCTOU)
- Concurrency Control Bypass
Classification
- OWASP Top 10: A04:2021 - Insecure Design
- Vulnerability Type: Race Condition / Time-of-Check Time-of-Use (TOCTOU)
- Attack Surface: Currency conversion API endpoint
- CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
This post is licensed under CC BY 4.0 by the author.