Payment Bugs
// 4 bugs
Bugs in checkout flows, payment retries, webhooks, refunds, subscriptions, and invoices.
// Why it matters
Payment bugs directly affect money and user trust. A double charge, a missed webhook, or an order that stays pending after a successful payment can mean lost revenue, refund costs, and serious damage to your product's reputation.
// Common symptoms
- User is charged twice after retrying a failed payment
- Payment succeeds but the order remains in pending status
- Webhook event is not processed after a payment completes
- Discount applied incorrectly at checkout
- Subscription renewal fails silently with no notification to the user
- Refund is processed but the order status does not update
// Bugs in this category
Showing 4 of 4 bugs
When a payment request times out or the response fails to reach the client, the client retries the request. If the payment API is called without an idempotency key, the provider has no way to recognise the retry as a duplicate and processes it as a second, independent charge β billing the user twice for the same order.
The payment provider confirms a successful charge, but the application's order status is not updated from 'pending' to 'paid'. This leaves the order stuck β fulfilment is blocked, the customer is billed but receives nothing, and the only evidence of payment is in the payment provider's dashboard.
A refund for order 601 is successfully processed at the payment provider β the charge is reversed and the provider's dashboard shows the refund as complete β but the application's order status remains 'paid' rather than updating to 'refunded'. The application's webhook handler processes payment events but has no handler for the refund event type, so the order state machine never transitions.
The payment webhook endpoint POST /api/webhooks/payment processes any incoming request without verifying the provider's HMAC-SHA256 signature. A forged webhook event claiming a payment succeeded for order 701 can be sent by any HTTP client and will be processed as a legitimate payment, crediting an order without a real charge having occurred.
// Explore other categories
Authentication Bugs
Bugs in login, logout, password reset, session management, tokens, and multi-factor flows.
Permission and Authorization Bugs
Bugs where users can access, edit, delete, or view resources they shouldn't be allowed to.
API Bugs
Bugs in HTTP status codes, request validation, response schemas, error messages, and API contracts.
UI and Frontend Bugs
Bugs affecting layout, forms, responsiveness, error messages, and how the interface behaves across browsers and screen sizes.
Data Bugs
Bugs involving incorrect, duplicated, stale, missing, or inconsistent data across the application.
Time and Date Bugs
Bugs caused by timezone mismatches, daylight saving transitions, date range errors, and locale differences.
Search and Filter Bugs
Bugs in search results, filters, pagination, sorting, and result counts.
File Upload Bugs
Bugs in file type validation, size limits, upload progress, storage, and file preview.
Notification Bugs
Bugs in email delivery, push notifications, in-app alerts, webhooks, and notification preferences.
// Practise finding these bugs
Hunt payment bugs hands-on in a live practice app, then check your findings against the seeded-bug answer guide.