Status:
Stack: Node.js • Express • MongoDB
Welcome to Digital Wallet API — a small fintech API where users can transfer money instantly. The project is intentionally vulnerable. The audit team found multiple critical issues: funds disappearing, user theft, and privacy leaks.
Your mission: fix the critical bugs in the API so it becomes secure and production-ready.
Follow these steps to get the project running locally.
- Install dependencies:
npm install-
Make sure MongoDB is running locally on port 27017.
-
Start the server:
node server.js- Reset test data (creates sample users Alice, Bob, Mallory):
Send a POST request to:
http://localhost:3000/api/wallet/setup
This populates the database with these test users and balances:
- Alice — $100.00
- Bob — $50.00
- Mallory — $0.00
Use a REST client (Postman, Insomnia, curl) to interact with the API.
For the exercise we use a simple header to act as one of the test users. This header exists purely for the challenge and must never be used in real production code.
Add header x-user-id with one of these values:
alice— act as Alicemallory— act as Mallory
-
GET /api/wallet — check your current balance
-
POST /api/wallet/transfer — send money
Request body JSON example:
{ "toUserId": "bob", "amount": 50 } -
GET /api/wallet/history/:id — view transaction history for user id
Open issue.md for the official list — there are 5 critical bugs to fix covering:
- Logic errors
- Race conditions
- Data precision
- Privacy leaks
- Database atomicity
Fix each item, add tests or manual verification steps, and explain the changes in your Pull Request.
- Fork this repository.
- Fix the vulnerabilities listed in
issue.md. - Submit a Pull Request (PR) with your fixes and an explanation of how each issue was resolved (for example: "Fixed race condition using MongoDB transactions").
Good luck!