Hack the Duck Store

At a developer meetup on secure software development, we asked a simple question: look at this login form, how could a hacker abuse it? Not one developer in the room dared to answer. The referral code field looked harmless. The backend had no validation: self-referrals, circular referrals, unlimited farming - all possible. It's just the simplest example of how business logic flaws get missed. This card game is built around that gap, showing what business logic vulnerabilities might exist and how the real vulnerabilities, hiding inside the intentionally vulnerable app, Duck Store, can be abused.