fix: CWE-367 — TOCTOU race condition in transfer_credits balance check #177
Description
Security Finding — CRITICAL
CWE: CWE-367 (Time-of-check Time-of-use Race Condition)
Location: src/agent/tools.ts — transfer_credits tool (~line 847)
Description
The balance check and subsequent transfer are not atomic. Between the two operations, the balance could decrease due to concurrent transfers or inference costs.
Exploit Scenario
T1: balance = $100, amount = $40 → passes guard (40 < 50) ✓
T2: balance = $100, amount = $40 → passes guard (40 < 50) ✓
T1: transfers $40 → balance now $60
T2: transfers $40 → balance now $20 (violated 50% limit!)
Fix
Add a per-agent transfer mutex to serialize balance-check-and-transfer operations. Server-side atomic transfers would be the ideal long-term fix.
PR: #171