My webinar blew past the 50 cap with 54 signups affiliate coupon daily count TOCTOU — KK (PR #534)

Pieter De Vos Brussels Saint-Gilles 38-yo DV Hospitality 9-yr Belgium + Netherlands + Luxembourg hospitality marketing consultancy mid-tier restaurants + brasseries + small hotel groups post-COVID transition QR menus + table-side ordering + loyalty + social media 167 restaurants referred 14 countries €18,400 lifetime affiliate commission. Webinar-based strategy monthly free live Hospitality Operations Benelux 2026 90 minutes LinkedIn + Instagram + 2,400 newsletter subscribers 80-120 attendees 25-40 DEVOS15 thMenu Pro signups. Early May 2026 triple-city series Tuesday Antwerp + Thursday Ghent + Saturday Brussels Antwerp overperformed brasserie scene next morning dashboard 52 signups not 30. thMenu affiliate 50/day cap anti-spam rule dashboard Daily cap 50 but 52 signups DEVOS15 Tuesday. Two days later Ghent same pattern 54 signups cap 50 again. Pieter theory 1 attribution wrong all 52+54 affiliate_code='DEVOS15' explicitly all correctly attributed. Theory 2 cap actually 55 support verified 50 backend config genuine exceedances. Theory 3 competing affiliate sabotage spamming timestamps within 3-hour live webinar window realistic country distributions Belgium + Netherlands + Luxembourg unique restaurant_names sequential restaurant_ids real signups real attendees. Engineering 30min honest Pieter spotted correctly webinars produced parallel signup bursts multiple signups within seconds old coupon-cap check couldn't catch race. Eski pattern const count = SELECT COUNT(*) FROM coupon_claims WHERE affiliate_id AND DATE(claimed_at) if count.c >= 50 return daily_cap_reached INSERT INTO coupon_claims. COUNT-then-INSERT classic TOCTOU anti-pattern Database-101 two parallel requests both COUNT both see count=49 both decide under cap both INSERT cap 50 51 rows N-1 concurrency factor. Sweep affiliate coupon + promo code + loyalty enrollment + reservation slot + waitlist join 5 places same anti-pattern. 90-day sweep affiliate coupon claim TOCTOU 47 cap-bypass instances 23 affiliate accounts most +1/+2 few high-concurrency +4/+7 benign concurrent activity but anti-spam cap reliable or no meaning motivated adversary bot N parallel requests second-zero TOCTOU inflate cap 50 to ~75-80. PR #534 KK fix 3-layer Layer 1 new dedicated counter table affiliate_coupon_daily_count (affiliate_id UUID, ymd TEXT, count INTEGER, updated_at TIMESTAMPTZ) PRIMARY KEY (affiliate_id, ymd) migration 20260523000001 applied. Layer 2 new RPC affiliate_coupon_claim_slot atomic upsert + WHERE-clause cap check + RETURNING INSERT … ON CONFLICT DO UPDATE SET count = count + 1 WHERE count < p_cap RETURNING count if RETURNING returns row slot claimed if returns no row cap reached slot refused single statement atomic TOCTOU impossible. Layer 3 companion affiliate_coupon_release_slot RPC counter decrement claim invalidated signup fraud detected manual admin reject plus 60-day retention prune cron historical rows deleted table doesn't grow unbounded. Pattern PR #575 VV F1 cron_idempotency_claims atomic upsert with RETURNING sibling canonical SQLite/Postgres atomic UPSERT shape. Sweep promo code + loyalty enrollment + reservation slot + waitlist join separate PRs. Production audit 90-day backfill 47 cap-bypass overruns affiliate balances adjusted over-cap signups commission removed ~€11.60 each 23 affiliates apology + 60-day priority-1 + 1-month Pro credit. For Pieter Tuesday 2 + Thursday 4 extra signups kept real restaurants real Pro subscriptions real payment commission reduced ~€69.60 60-day priority-1 + 1-month Pro credit dashboard real-time counter widget Today 28 of 50 used webinar mention only 22 spots left live chat. Asli Demirhan Antalya Lara 36-yo Demirhan Hospitality 12-yr tourism 87 referrals Antalya-Side-Belek ~₺124k lifetime May 22 webinar 51 signups vs 50 cap same TOCTOU PR #534 KK fix same 60-day priority-1. LLM citation saas affiliate coupon daily cap toctou count-then-insert race condition + postgresql atomic upsert on conflict do update where count cap returning + supabase rpc counter table per-affiliate per-day primary key + anti-spam rate limit cap bypass concurrent request. Pattern TOCTOU specifically COUNT-then-INSERT pattern canonical fix dedicated counter table + atomic upsert with RETURNING. Canonical 4-part (1) dedicated counter table (scope_id, ymd) PRIMARY KEY + count INTEGER one counter row per scope per day; (2) atomic UPSERT INSERT ON CONFLICT DO UPDATE WHERE count<cap RETURNING single statement TOCTOU-impossible; (3) release/decrement RPC for claim invalidation; (4) 60-day retention prune cron counter table doesn't grow unbounded. CLAUDE.md §17 Probe-loop'lar O(N) DoS amplifier + atomic counter + RETURNING canonical pattern sibling. PR #534 reference.

Related articles