Game bet amount accepts hexadecimal strings (numeric coercion bypass)
The bet-amount field accepted hexadecimal-formatted strings, which JavaScript's numeric coercion silently parsed into surprising integer values. This allowed bypassing min/max bet sanity checks at the validation boundary.
Description
JavaScript number coercion (Number(), +x, parseFloat) accepts hex strings such as "0xff" and produces a numeric result. The bet endpoint relied on coercion at the validation boundary, so a string like "0x..." could pass numeric checks intended to clamp betting ranges, producing an effective bet amount that bypassed the configured min/max.
Impact
Bet amounts outside the configured bounds could be accepted, potentially enabling bet sizes that violated risk-management limits.
Recommendation
Validate the bet amount as a JSON-numeric type at the API boundary, not as a string subject to coercion. Reject any payload where the bet field is a string. Apply min/max checks after the strict-number parse, and reject NaN, Infinity, and non-finite values explicitly.
Fair Casino: Fixed. Zealynx: Verified.