| name | sc-race-condition |
| description | Race condition and TOCTOU detection — database races, file system races, double-spend, and atomicity failures |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
SC: Race Conditions / TOCTOU
Purpose
Detects race condition vulnerabilities where concurrent operations on shared state lead to inconsistent or exploitable behavior. Covers database read-modify-write races, file system time-of-check-to-time-of-use (TOCTOU), double-spend attacks, counter increment without atomicity, missing database transactions, and concurrent request exploitation.
Activation
Called by sc-orchestrator during Phase 2. Runs against all applications with concurrent processing.
Phase 1: Discovery
Keyword Patterns to Search
"balance", "counter", "inventory", "stock", "quantity",
"increment", "decrement", "transfer", "withdraw",
"transaction", "BEGIN", "COMMIT", "ROLLBACK",
"Lock", "Mutex", "synchronized", "atomic",
"SELECT.*FOR UPDATE", "SERIALIZABLE"
Vulnerability Patterns
1. Database Read-Modify-Write Without Lock:
def withdraw(user_id, amount):
user = User.objects.get(id=user_id)
if user.balance >= amount:
user.balance -= amount
user.save()
from django.db import transaction
from django.db.models import F
def withdraw(user_id, amount):
with transaction.atomic():
user = User.objects.select_for_update().get(id=user_id)
if user.balance >= amount:
user.balance = F('balance') - amount
user.save()
2. Non-Atomic Counter:
app.post('/like/:postId', async (req, res) => {
const post = await Post.findById(req.params.postId);
post.likes += 1;
await post.save();
});
app.post('/like/:postId', async (req, res) => {
await Post.findByIdAndUpdate(req.params.postId, { $inc: { likes: 1 } });
});
3. File System TOCTOU:
if _, err := os.Stat(filepath); err == nil {
data, _ := os.ReadFile(filepath)
}
data, err := os.ReadFile(filepath)
if err != nil { }
4. Coupon Double-Use:
def apply_coupon(coupon_code, order_id):
coupon = Coupon.objects.get(code=coupon_code)
if not coupon.used:
apply_discount(order_id, coupon.discount)
coupon.used = True
coupon.save()
def apply_coupon(coupon_code, order_id):
with transaction.atomic():
updated = Coupon.objects.filter(
code=coupon_code, used=False
).update(used=True)
if updated == 1:
apply_discount(order_id, coupon.discount)
Severity Classification
- Critical: Financial double-spend, balance manipulation through race conditions
- High: Inventory overselling, coupon double-use, privilege escalation via race
- Medium: Counter manipulation, file system TOCTOU in non-critical paths
- Low: Race conditions in logging, analytics, or non-critical counters
Output Format
Finding: RACE-{NNN}
- Title: {Race condition type} in {function}
- Severity: Critical | High | Medium | Low
- Confidence: 0-100
- File: file/path:line
- Vulnerability Type: CWE-362 (Race Condition) | CWE-367 (TOCTOU)
- Description: {Read-modify-write on shared state without atomicity/locking}
- Impact: {Financial loss, data inconsistency, double-spending}
- Remediation: Use database transactions with SELECT FOR UPDATE, atomic operations, or mutex locks.
- References: https://cwe.mitre.org/data/definitions/362.html
Common False Positives
- Read-only operations — concurrent reads don't cause race conditions
- Idempotent operations — operations that produce the same result regardless of repetition
- Single-instance applications — no concurrent processing (but still risky under load)
- Database-level constraints — unique constraints preventing double-insertion