Denial of Inventory
Denial of inventory (DoI) is a form of abuse targeting retail and e-commerce platforms in which malicious actors artificially deplete the available stock of a product without completing legitimate purchases. By placing items into shopping carts or reserving them through automated means, perpetrators prevent genuine customers from buying those items, causing reputational and financial harm to retailers and disrupting normal market activity.
Mechanism
Most e-commerce systems temporarily reserve stock when a customer adds an item to their cart or initiates checkout, holding it for a set period—typically a few minutes to half an hour—before releasing it back to the pool if no purchase is completed. Denial-of-inventory attacks exploit this reservation window by repeatedly occupying stock using bots or scripts, refreshing reservations before they expire and thereby keeping items perpetually unavailable to ordinary shoppers. Because no payment is required to trigger a reservation, the attacker incurs no cost while the retailer loses sales.
A common variant targets high-demand or limited-edition product launches, such as gaming consoles, sneakers, or event tickets. In these cases the goal may be competitive disruption, extortion, or preparation for scalping—where the attacker subsequently purchases the items through a separate channel once competitors are locked out.
Impact
The consequences of a denial-of-inventory attack fall on multiple parties:
- Retailers and brands suffer lost revenue, customer frustration, and damage to brand trust, particularly when a product launch appears to "sell out" instantly despite low genuine demand.
- Consumers are unable to purchase products at retail price and may be forced to pay inflated secondary-market prices.
- Competing sellers may face indirect harm if the attack is coordinated to benefit a specific rival.
The attack can also distort inventory analytics and demand-forecasting systems, leading to poor restocking and procurement decisions.
Mitigations
Retailers employ several technical and policy measures to reduce exposure to denial-of-inventory attacks:
- Short reservation timeouts reduce the window during which stock can be held without payment.
- Bot detection and CAPTCHA systems identify and block automated clients before they can place reservations.
- Rate limiting restricts the number of cart additions or reservation requests from a single IP address or account within a given timeframe.
- Queue systems for high-demand launches replace instant cart access with a virtual waiting room, reducing the effectiveness of bots.
- Payment-first flows require partial or full payment commitment before stock is reserved, raising the cost and risk for attackers.
- Account verification requirements, such as confirmed email or phone number, make it harder to operate large numbers of throwaway accounts.
No single measure is fully effective in isolation; most robust defenses combine several of these approaches alongside ongoing traffic monitoring.
Relation to similar threats
Denial of inventory shares characteristics with other cart-abuse and bot-driven attacks. It is conceptually related to denial-of-service (DoS) attacks in that the objective is to make a resource unavailable to legitimate users, but the mechanism targets business logic rather than network infrastructure. It also overlaps with scalping bot activity, though scalping bots ultimately complete purchases whereas a pure denial-of-inventory attack does not. The term is sometimes used interchangeably with cart stuffing or inventory hoarding, though these may carry slightly different connotations depending on context.
See also
- Scalping (retail)
- Credential stuffing
- Web scraping
- Bot management