Cheating via opening multiple tabs in a browser when spinning the wheel

[volodymyr-matselyukh]

Bug Report

Overview

It's possible to get a way higher score by duplicating tab with spinning wheel and clicking spin in each browser tab.

Affected parties

Regular users. Whole idea of spinning wheel entertainment.

Impact

*1. People with this gap knowledge can gain a way more score than people without such knowledge.

2. Also, it's unfair that somebody can gain a higher score with a single run with multiple tabs then others who played the game fairy by hitting spin button once in an hour in a single tab.
3. LNC points are collected a way quicker. For each spin lnc points are counted. So, having 100times more spins per hour gives 100times more lnc points. It's cool but it's unfair at the same time.*

Reproduction steps

*1. Visit this website: https://learnnear.club/wheel-of-transactions/

2. Wait till spin button is available.
3. Duplicate the tab in the browser.
4. Hit spin button in both tabs.
5. Score is now higher then it should be because there is no server side validation for already spinned wheel at current point of time.*

Root cause analysis

I believe there is no server side validation on wheel-spin request for already sent wheel-spin request for current hour.

Suggested fix

Before processing wheel-spin request the server should perform validation for whether the wheel-spin request came at the last hour. This fix should be easy because I see that there is already a mechanism to determine whether to show spin button. You can use the same mechanism to check whether the wheel-spin request should be processed or not.

[volodymyr-matselyukh]

Ok, sending requests via postman works fine too. It doesn't matter whether I spinned the wheel during this hour or not. Without validation anyone can simply bombard the server with requests and get insane score. I still don't get whether that's a feature or a bug.

[volodymyr-matselyukh]

now, the issue is fixed. thanks