Race Condition in Withdrawal Function: From Discovery to POC

Hi everyone! 👋 This is my first write‑up on Medium, and I'm excited to share a vulnerability I found during a pen test project.

Goris

~1 min read · April 12, 2026 (Updated: April 12, 2026) · Free: Yes

I discovered a race condition in a withdrawal endpoint. By sending multiple concurrent requests, I was able to trigger two/more withdrawals before the system could update the user's balance — effectively letting me withdraw more than I had.

In this post, I'll walk you through:

How I spotted the vulnerability
The simple POC using Burp Intruder
Why locking mechanisms (or atomic DB operations) are essential

📌 I've published the full, detailed version on my github pages — including the HTTP requests, the vulnerable code snippet, and a fixed implementation…

👉 Continue reading the full write-up here: [Full Step‑by‑Step Guide ] — link leaves Medium

Happy Hacking … !

#bug-bounty #pentesting #hacking #cybersecurity #bug-bounty-writeup

Race Condition in Withdrawal Function: From Discovery to POC

Hi everyone! 👋 This is my first write‑up on Medium, and I'm excited to share a vulnerability I found during a pen test project.

Reporting a Problem