from Hacker News

Weak isolation levels allowed to steal BTC using plain SQL

by eivanov89 on 7/3/24, 1:28 PM with 5 comments

  • by eatonphil on 7/3/24, 2:22 PM

    I love the reference to the ACIDRain paper in there.

    > They analyzed “12 popular self-hosted eCommenrce applications written in four languages and deployed on over 2M websites” and identified and verified “22 critical ACIDRain attacks that allow attackers to corrupt store inventory, over-spend gift cards, and steal inventory”. According to the paper, “Of the 22 vulnerabilities, five were level-based, meaning that the default weak isolation level led to the anomalies behind the vulnerabilities.

    http://www.bailis.org/papers/acidrain-sigmod2017.pdf

  • by PreInternet01 on 7/3/24, 2:25 PM

    The submitted title deviates from that of the linked post ("Do we fear the serializable isolation level more than we fear subtle bugs?") and, having read the source, I'm not even sure if it's even close to accurate...