Task 1 of 3
How a Researcher Got $1,000 of Free Stock with 30 Parallel Requests
In 2023, a researcher testing an e-commerce platform sent 50 identical coupon redemption requests at the exact same millisecond. The coupon was marked "single-use". The result: the coupon was applied 47 times. All 50 requests passed the "is this coupon used?" check before any of them incremented the counter.
This is a race condition — specifically TOCTOU (Time of Check to Time of Use). The check and the update happen at different times, with a gap that concurrent requests can exploit.
REAL RACE CONDITION BOUNTIES
HackerOne — $10,000
Race on vote mechanism — vote on a report multiple times simultaneously
Shopify — $15,000
Single-use discount applied hundreds of times via race
PayPal — $20,000
One-time credit bonus redeemed concurrently multiple times
Coinbase — $30,000
Same funds withdrawn twice in simultaneous requests
The TOCTOU pattern
// ❌ VULNERABLE — read-then-write, no locking
function applyCoupon(code) {
const coupon = db.find(code);
if (coupon.uses >= coupon.maxUses) return error('Exhausted');
// ← TIME GAP — 50 concurrent requests all pass the check here
db.increment(code, 'uses'); // all 50 then increment
applyDiscount(); // all 50 get the discount
}1
What does TOCTOU stand for and why does it cause race conditions?
Answer all 1 question to continue