Study of race condition vulnerabilities in code generated by 10 major LLMs across 50 generation attempts, revealing that all models produce vulnerable check-call-deduct patterns that allow users to overdraw credits via concurrent API requests (TOCTOU attacks). While models can identify these vulnerabilities when asked to audit code, they fail to generate secure implementations without explicit prompting, despite having the knowledge embedded in their training data.
LLMs consistently generate vulnerable TOCTOU race conditions in credit-gated AI APIs, allowing users to bypass balance checks through concurrent requests—a pattern that appears in 100% of tested code generation attempts but is correctly identified 98% of the time during security audits. The vulnerability exploits the time gap between balance verification and API call completion, enabling attackers to perform denial-of-wallet attacks with minimal sophistication.