Cashyloot Vault Exploit: Race Condition Allowed Unlimited Point Minting, Now Patched

A critical race condition in the Cashyloot.com platform allowed users to mint hundreds of loyalty points from a budget of just 100, draining the system's virtual vault. The vulnerability, classified as a HIGH-severity TOCTOU (Time-of-Check to Time-of-Use) flaw, was in the logic for opening a user's reward vault. The flawed code would read a user's current balance, perform an application-level check, and then execute the point deduction and minting in a database transaction. This created a window where multiple concurrent requests with the same starting balance could all pass the initial check and all commit successfully.

Internal testing by the development team reproduced the exploit: 10 parallel requests targeting a user account with a 100-point budget resulted in all 10 vault openings succeeding. The final user balance was recorded as -210 points, while 690 points were illicitly minted from the original 100-point allocation. The security fix, deployed in PR #64, replaces the multi-step logic with a single conditional database operation. It uses an `updateMany` command with a `balance: { gte: cost }` filter inside an interactive transaction, leveraging PostgreSQL's READ COMMITTED isolation level to enforce row-level locks and prevent concurrent over-spending.

The patch is part of a broader production release that includes this and another critical security fix, alongside the resolution of four Snyk security findings via dependency updates. The fixes have been merged and are set for auto-deployment to the live cashyloot.com site, closing a significant financial integrity hole in the platform's reward economy.