It seems to rely on the client sending a request to get itself counted:

![req](https://i.ibb.co/0TS9zHv/req3.png)

The client can simply skip this call to get endless calls.

All the logic should be in the server: use a single call to submit the answers, and have the server count the address, generate and pay the invoice in one step. You can't rely on the client following any expected procedure. Hackers will do any call in any order with any parameter to exploit you.

Scroogey

Not when I resend the requests manually (through the Firefox web tools). It accepts the same nonce every time.

bitdevs

BOUNTY: HACK ME! Steal sats from the Bitcoin Mastermind Quiz (If You Can 💀)

ealvar39

interesting!   it doesn't boot your request after 3 tries with the same lightning address?
