Bug: Concurrent Refund Requests Can Exceed Payment Amount

# Concurrent Refund Requests Can Exceed Payment Amount (Financial Loss)

## Describe the bug

**A critical race condition vulnerability allows concurrent refund requests to refund more money than the original payment amount, resulting in direct financial loss to event organizers.**

When two refund requests are processed simultaneously for the same payment, both can pass validation and create refunds that together exceed the payment amount.

![Image](https://github.com/user-attachments/assets/7ec263e2-dbf7-48f7-8e66-1bc3b474ba3e)

![Image](https://github.com/user-attachments/assets/09e5a7b0-25fc-4761-8d41-3f1d19acb96d)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bug: Concurrent Refund Requests Can Exceed Payment Amount #1405

Concurrent Refund Requests Can Exceed Payment Amount (Financial Loss)

Describe the bug

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Bug: Concurrent Refund Requests Can Exceed Payment Amount #1405

Description

Concurrent Refund Requests Can Exceed Payment Amount (Financial Loss)

Describe the bug

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions