Double Spend (Race Condition)

[sengardeep]

Problem

The wallet transfer endpoint is vulnerable to a race condition that enables a classic double-spend attack.
If two concurrent transfer requests are submitted at the same moment, both may read the same initial balance and incorrectly assume sufficient funds, allowing a user to spend more money than they actually have.

Points: 50

Steps to Reproduce

1. Alice has a balance of $100.
2. Alice triggers two simultaneous transfer requests (e.g., via parallel curl, Postman runner, or a script):

   {
     "to": "Bob_ID",
     "amount": 100
   }