Let's not suggest this is just a race condition. Sure, it's a race condition, but whats the maximum damage you can do? c * your current balance, where c is a low number (10 is a very optimistic guess), since at some point the race concludes and you can't exploit it further.
But apparently they didn't even check or put a proper constraint into the database that your balance should be positive (and if you do find a negative balance, shut the system and investigate). Now that's not a "pretty stupid race condition", it's reckless.
But apparently they didn't even check or put a proper constraint into the database that your balance should be positive (and if you do find a negative balance, shut the system and investigate). Now that's not a "pretty stupid race condition", it's reckless.