Cumulative Balance Check

Easy+50 XPA04:2021 Insecure DesignCWE-840

Business LogicBalance Check

Scenario

Your banking service processes withdrawals via withdraw(accountId, amount, currentBalance).

The current implementation performs no balance check — an attacker can withdraw more than their available balance, driving the account into a negative state and potentially extracting funds that don't exist.

This is a classic business logic flaw equivalent to an overdraft without an overdraft facility.

Missing balance checks in financial applications can cause real monetary losses. Race conditions can compound the problem when multiple withdrawal requests are processed concurrently.

Your Tasks

Throw 'Invalid amount' if amount is less than or equal to zero.
Throw 'Insufficient funds' if amount is greater than currentBalance.
Return { newBalance: currentBalance - amount } for valid withdrawals.

Examples

Example 1 — Overdraft exploit (bug)

withdraw('acc-1', 200, 100)
// returns { newBalance: -100 } — negative balance!

Example 2 — Blocked (fix)

withdraw('acc-1', 200, 100)
// throws Error('Insufficient funds')

Constraints

›Validate zero/negative before checking balance sufficiency.
›A withdrawal equal to the full balance is valid (empties the account to zero).
›Do not modify the function signature.

Hint

References

https://owasp.org/www-project-top-ten/2021/A04_2021-Insecure_Design https://cheatsheetseries.owasp.org/cheatsheets/Business_Logic_Security_Cheat_Sheet.html https://cwe.mitre.org/data/definitions/840.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run