How to ensure only one spend at a time?

So from my understanding debit/credit operation is not an atomic/blocking operation.

If two sessions for the same user (e.g. different browser windows) do it at the same time, the result could be surprising.

https://github.com/malsubrata/woo-wallet/blob/master/includes/class-woo-wallet-wallet.php#L189-L197

Assume at least two threads are handling requests.
Thread 1 and Thread 2 for same/similar request
both get past the Balance check end up on line 193.
User has $100 wanting to spend $100.
Thread 1 and Thread 2 would both insert a record to the transactions table at this point.
$200 is effectively “spent” each having a transaction id, but the balance is still calculated at $previousBalance -= $amount;

Is this a Double spend problem?

I’m probably just going to install an extension to limit to 1 session per WordPress user as a precaution.
https://www.wpsecurityauditlog.com/support-documentation/managing-multiple-same-wordpress-user-sessions/

I could be over-thinking this and worrying about nothing, but it could be possible have not reproduced yet.

Look at it another way, multiple bot accounts constantly trading amounts between themselves with multiple sessions in an attempt to duplicate amounts, at some point would it screw out?

Yes, I think assuming the webserver has multiple threads/workers.
But there may be something else that I have over-looked as I have not gone through every code just yet, that just stood out to me as a potential concern.

Thanks, @subratamal

There is a wpdesk/wp-mutex package that may be of interest.
https://packagist.org/packages/wpdesk/wp-mutex
https://gitlab.com/wpdesk/wp-mutex/tree/master

May be other considerations when using with multisite installations.

You could acquire a lock name based on the user id.

Their one makes use of MySQL Locking Functions.
https://dev.mysql.com/doc/refman/5.7/en/locking-functions.html

Possibly MySQL 5.7+.