WebSocket deposit_confirmed events can be spoofed client-side, causing false deposit confirmations

The frontend WebSocket client blindly trusted incoming server-side events such as deposit_confirmed and immediately updated UI state (balance, deposit status, notifications) without verifying:

• That the message originated from the trusted server.
• That the deposit corresponded to an on-chain transaction.

A fabricated deposit_confirmed event with an arbitrary amount was accepted:

• The UI reflected the fake deposit and balance update.
• No immediate backend reconciliation corrected the state.

This produced false-positive deposits in the UI and caused severe frontend/backend desynchronization, including misleading "Your deposit of … FAIR has been credited!" notifications.

Vulnerable scenario:

1. Authenticate normally.
2. Open a WebSocket connection to /ws.
3. Intercept or inject a crafted deposit_confirmed message with a large amount and a fabricated txHash.
4. Observe the deposit notification rendered and the wallet UI updated with the fake balance.

• False deposit confirmations: users can see deposits that never occurred, which is directly usable for social-engineering and support-flow abuse.
• Severe UI integrity failure: frontend state diverges from blockchain and backend truth.

Make WebSocket events advisory, not authoritative.

• On deposit_confirmed, trigger a fetch to GET /api/user/balance and GET /api/deposits/{txHash}.
• Update the UI only after the API confirms backend truth.

Fair Casino: Fixed. Zealynx: Verified.