Is this vulnerability fixed for PromptGamePassPurchaseFinished?
I believe it (kinda) is, though if you donāt have proper checks, exploiters can still call it multiple times and get ingame rewards multiple times. (if you reward then via PromptGamePassPurchaseFinished)
How would you perform proper checks?
You canāt really use UserOwnsGamePassAsync because of its caching behavior.
Why would you use promptproductpurchasefinished though? Handling devproducts is meant to be in a callback function with processreceipt.
Is there any way to safely listen to assets and bundles purchases? as ProcessRecepit only works for developer products. 
EDIT:
Probably forced to use, PlayerOwnsAsset and PlayerOwnsBundle few seconds laterā¦ kinda sucks ngl.
EDIT 2:
Also have to check if the user already bought it or once purchased they can spam and cheat it.
This image best describes how vulernable PromptPurchaseFinsihed and PromptGamePassPurchaseFinished can be. As the poster of this X post states, you can continuously fire the isPurchased parameter with true if you own the asset/gamepass. The only way to prevent this is like what the author says, use checks beforehand, Iāve used the roblox inventory API with a proxy due to the limitations of PlayerOwnsAsset (does not return every copy of an asset a player owns, ex. collectible limited, ugc limited)
1 Like