.png)
1 year ago
37 BOOK THIS SPACE FOR AD
ARTICLE AD
I found this interesting bug while testing a private program. I was able to topup my wallet with as much balance I want and then use the credit to buy items on the platform.
I will be using XYZ as company name here. XYZ allows user to top-up their wallets via Debitcard and Paypal. User also have option to withdraw its balance to his bank account or paypal. For withdrawing the fund a post request is made as follows with amount to be withdrawn and the PayPal Email where we want to Withdraw.
If a negative amount is sent via the request then that amount is added into our Wallet and can be spent on the platform.
Send post request with -ve amount to withdraw2. The requested amount is added into withdrawal queue and marked as frozen
3. The same amount is also added into withdrawable too since to have it frozen it should be into withdrawable. Hence we are able to use the balance.
There should be a check to not allow -ve amount withdrawals to keep in view the logic applied on the site. The devs applied the same fix.
The team fixed the issue and Bounty was awarded.
Bounty Awarded: 1000$
Bengali (Bangladesh) · 
English (United States) ·