Coder wrote a bug so bad security guards wanted a word when he arrived at work

Who, Me? Welcome once again to Who, Me? The Register's Monday morning feature in which we share tales of technological messes your fellow readers made, and escaped, to give you hope in case you err during the coming week.

This week's hero we'll Regomize as "Trey" because back in the first decade of this millennium he was working for one of the many startup telcos trying to cash in on 3G. (Sadly, he tells Who, Me? it was not one of the ones that succeeded.)

Trey worked on the platforms and services team, which created and maintained apps for internal users and customers. Among his responsibilities was working with external service providers, such as a payment provider, an identity services outfit, and bulk SMS handler.

One day, Trey noticed the payments gateway misbehaving, so he wrote a piece of software that sent it a test transaction, checked it had worked, then repeated the process five minutes later.

Another experiment saw him write a demo app that automated payments, using SMS as prompts.

The app had its own syntax for commands. In theory, the message “Credit 5” would send that sum to an account, and so on.

Trey showed the automated payments applications to the head of his department, who was well pleased – so pleased he asked for it to be deployed immediately.

Oh yeah, immediate deployment. That never goes wrong, right?

• Panic at the Cisco tech, thanks to ancient IOS syntax helper that outsmarted itself
• NetAdmin learns that wooden chocks, unlike swipe cards, open doors when networks can't
• Network engineer chose humiliation over a night on the datacenter floor
• Undergrad thought he had mastered Unix in weeks. Then he discovered rm -rf

Wrong. It turns out Trey's little demo had exactly three bugs in it that had not been spotted in his limited testing.

The first bug was in the value of the test transactions. The value had to be a whole number, followed by a modifier.

His intention was that the whole number would be 1 and the modifier -2, a combo that would generate a test transaction of $0.01. But the exponent had accidentally been set to 2 – so each transaction was worth $100. Not an insignificant difference.

The second bug was the lack of a liveness check. If one of the gateways failed, the program wouldn't sleep for five minutes but would simply attempt the transaction again immediately.

The third bug – which Trey did in fact know about but had made a mental note to fix later – was that the choice of credit or debit on the test transactions was supposed to be random, but for some reason always came up credit. He figured it wouldn't be that big of an issue, given the transactions were only supposed to be $0.01 every five minutes, right?

You can easily see where this is headed. As he ran the program overnight, one of the gateways failed. Trey's little proof of concept demo program then began crediting his test account with $100 pretty much constantly for the next few hours.

When he arrived at work the next morning, there were some very serious faces – including a security team – waiting to greet him and find out what sort of fraud he thought he was trying to pull. The account had amassed a considerable fortune by that stage.

Thankfully the head of department, who had authorized the deployment, came to Trey's rescue and explained the situation. Tragically, though, the balance of the test account was reset to zero.

Ever had a programming error make a fortune appear – or disappear – like magic? Tell us all about it in an email to Who, Me? and we may share your adventure on some future Monday morning - in 2025, when the column returns. ®