deleted my previous comment because I linked to the wrong line

On the frontend, you have a function called handleUserPayout. This function works correctly. i.e. it will check the number of times a user has been paid out and return better luck next time if the number of remaining attempts 0. https://github.com/ealvar13/hd-quiz-bitcoin-rewards/blob/30817af5f53c4da9b7dce593f77e37762a0f5dbc/bitcoin-mastermind-rewards/includes/js/bitc_a_light_script.js#L261

However, the function sendPaymentRequest can be simulated by the user by making the same call directly to admin-ajax.php.

There is no check on the remaining number of attempts compared to the handleUserPayout.