bitdevs

BOUNTY: HACK ME! Steal sats from the Bitcoin Mastermind Quiz (If You Can 💀)

ealvar39

It seems to rely on the client sending a request to get itself counted:

![req](https://i.ibb.co/0TS9zHv/req3.png)

The client can simply skip this call to get endless calls.

All the logic should be in the server: use a single call to submit the answers, and have the server count the address, generate and pay the invoice in one step. You can't rely on the client following any expected procedure. Hackers will do any call in any order with any parameter to exploit you.