fix: prevent race condition in bounty claim with atomic status check (#24)

FuturMix · claude · web-flow · commit d5eec9ebecab · 2026-06-15T08:14:51.000-07:00
The bounty claim handler uses a SELECT to check status, then a separate
UPDATE to set it. Two concurrent requests can both pass the status check
and claim the same bounty, potentially triggering duplicate payouts.

Add a WHERE status IN ('open', 'funded') clause to the UPDATE so only
the first concurrent claim succeeds at the database level, and verify
the claimer_did after the UPDATE to detect and reject losing races.

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/web/app/api/bounties/[id]/claim/route.ts b/apps/web/app/api/bounties/[id]/claim/route.ts
@@ -30,14 +30,20 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
   const coupons = await db.sql`SELECT * FROM coupons WHERE id = ${coupon_id}`;
   if (!coupons.length) return NextResponse.json({ error: 'Coupon not found' }, { status: 404 });
 
-  // Mark bounty as claimed
+  // Mark bounty as claimed — atomic WHERE prevents race conditions
   await db.sql`
     UPDATE bounties
     SET status = 'claimed', coupon_id = ${coupon_id}, claimer_did = ${did},
         updated_at = ${new Date().toISOString()}
-    WHERE id = ${bountyId}
+    WHERE id = ${bountyId} AND status IN ('open', 'funded')
   `;
 
+  // Verify the claim succeeded (handles concurrent claim race)
+  const verify = await db.sql`SELECT claimer_did FROM bounties WHERE id = ${bountyId}`;
+  if (verify.length && verify[0].claimer_did !== did) {
+    return NextResponse.json({ error: 'Bounty was already claimed by another user' }, { status: 409 });
+  }
+
   // Attempt payout to claimer via web wallet
   // Docs: POST /api/web-wallet/:id/prepare-tx then /broadcast
   let payoutOk = false;
