pith. machine review for the scientific record. sign in

arxiv: 2604.16427 · v1 · submitted 2026-04-05 · 💻 cs.CR · cs.CE

Recognition: no theorem link

Refunded but Rewarded: The Double Dip Attack on Cashback Reward Engines

S M Zia Ur Rashid , Suman Rath
Authors on Pith no claims yet

Pith reviewed 2026-05-13 17:12 UTC · model grok-4.3

classification 💻 cs.CR cs.CE
keywords cashback rewardsrefund abusedouble dip attackreward integritypayment securitystate machinevulnerability taxonomy
0
0 comments X

The pith

A debit cashback program never adjusts rewards on refunds, allowing users to receive rewards twice on the same transaction.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper investigates flaws in cashback reward systems that arise when transactions are refunded. Experiments on real issuer accounts reveal that one debit program leaves rewards untouched after refunds, creating a repeatable way to collect the same reward multiple times. Other programs show partial issues like timing gaps that let rewards be spent before adjustments occur. The authors model reward systems as state machines and define invariants to ensure rewards stay consistent with the underlying transactions. This matters because cashback programs drive customer loyalty across cards and wallets, and unaddressed gaps can produce ongoing losses for issuers.

Core claim

A debit based cashback program never adjusts rewards when refunded transactions post, enabling a deterministic double dip cashback reward abuse attack. Credit card programs range from similar timing-based violations to robust negative balance enforcement that claws back rewards proportionally on refunds.

What carries the argument

Reward engines formalized as state machines equipped with Reward Integrity and Refund Reward Consistency invariants that enforce reward adjustment whenever the underlying transaction is reversed.

If this is right

  • Issuers lose the reward amount on every double-dipped refund without adjustment logic.
  • Timing gaps allow reward redemption before merchant return windows close.
  • Immediate redeemability before statement-close clawback creates extractable value windows.
  • Indefinite negative balance enforcement with proportional clawback prevents extraction.
  • Defensive algorithms based on the two invariants close the identified loopholes.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same reward adjustment failures could appear in non-cashback loyalty points systems.
  • Automated monitoring for refund-reward mismatches could serve as an early detection layer.
  • Widespread fixes would reduce the incentive for users to test issuer boundaries at scale.

Load-bearing premise

The controlled experiments on six legitimately held accounts accurately capture the production behavior of the issuers without special handling or detection by the systems.

What would settle it

Perform a purchase, receive cashback, then refund the purchase on Issuer A and check whether the reward balance stays unchanged or is reduced.

Figures

Figures reproduced from arXiv: 2604.16427 by S M Zia Ur Rashid, Suman Rath.

Figure 1
Figure 1. Figure 1: Reward ecosystem entities and event flows. Solid arrows [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Transaction reward lifecycle for the V1 vulnerability class [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The four phase double dip cashback reward abuse attack [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Statement cycle timing vulnerability in Case II. Rewards are [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Transaction reward state machine. Transitions to SET (Set [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Algorithm interaction paths. In event-driven systems (top [PITH_FULL_IMAGE:figures/full_fig_p017_6.png] view at source ↗
read the original abstract

Cashback reward programs now serve as central instruments in the competitive landscape of cards, digital wallets, and payment platforms. Despite their financial significance, the business logic governing these programs is seldom treated as a security critical surface. In this paper, we study a class of reward abuse attacks that arise from flaws in how reward systems accrue, redeem, and adjust incentives when underlying transactions are reversed through refunds. Using controlled, small scale experiments on six issuer accounts we legitimately hold, we document a spectrum of real world behaviors in production systems. At one extreme, a debit based cashback program (Issuer A) never adjusts rewards when refunded transactions post, enabling a deterministic double dip cashback reward abuse attack. A credit card program (Issuer B) exhibits an analogous reward integrity violation through a statement cycle timing gap that allows reward redemption before the merchant return window closes. At an intermediate tier, a credit card issuer (Issuer F) creates negative reward entries on refunds at statement close but makes rewards redeemable immediately upon settlement, creating a timing asymmetry that allows users to extract reward value before clawback occurs. At the robust end, three credit card issuers (C, D, and E) implement indefinite negative balance enforcement with proportional clawback. We formalize reward engines as state machines, introduce two integrity invariants (Reward Integrity and Refund Reward Consistency), develop a taxonomy of vulnerability classes mapped to CWE and OWASP, and present defensive pseudo algorithms with a semi formal correctness argument that close the identified loopholes. The primary vulnerability (Issuer A) was reported through a private bug bounty program and has been acknowledged by the vendor; good faith disclosure efforts for Issuer B are detailed in Section 8.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 3 minor

Summary. The paper claims that cashback reward programs contain security flaws in how they handle refunds, enabling reward abuse attacks. Through controlled experiments on six legitimately held accounts, it documents a spectrum of behaviors: Issuer A permits deterministic double-dipping by never adjusting rewards on refunds; Issuer B allows redemption before the return window closes due to statement cycle timing; Issuer F creates negative entries only at statement close while allowing immediate redemption; and Issuers C, D, and E enforce proportional clawbacks. The authors model reward engines as state machines, define Reward Integrity and Refund Reward Consistency invariants, present a CWE/OWASP-mapped vulnerability taxonomy, and supply defensive pseudo-algorithms with a semi-formal correctness argument. The primary vulnerability was acknowledged via private bug bounty disclosure.

Significance. If the empirical observations hold, the work is significant for identifying an under-examined attack surface in high-volume financial reward systems. Direct evidence from production accounts, combined with vendor confirmation for Issuer A, provides concrete, reproducible demonstrations rather than hypothetical scenarios. The state-machine formalization and invariant-based defenses offer a reusable framework for analyzing similar systems, elevating the contribution beyond isolated case studies.

major comments (2)
  1. [§4.1] §4.1 (Issuer A experiments): the central claim of deterministic non-adjustment on refunds is load-bearing; the text should explicitly state the number of independent refund cycles tested and whether partial refunds or multi-merchant sequences were included, as these directly affect the attack's generality.
  2. [§5.2] §5.2 (state machine for Issuer F): the timing asymmetry claim relies on immediate redeemability versus statement-close clawback; the transition rules in the model do not explicitly show preservation of the Refund Reward Consistency invariant when a redemption occurs between settlement and statement close, which is required to substantiate the vulnerability class.
minor comments (3)
  1. [Figure 1] Figure 1: the state-machine diagram for Issuer B would be clearer if the statement-cycle timing gap were annotated with an explicit time interval label matching the prose description.
  2. [Section 7] Section 7: the defensive pseudo-algorithms are presented without line numbers or pseudocode formatting; adding numbered steps would improve traceability to the invariants.
  3. [References] References: the taxonomy section would benefit from citing at least one prior work on payment-system state-machine modeling to situate the contribution.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the positive recommendation to accept and for the constructive comments that help strengthen the empirical and formal sections. We address each major comment below and will incorporate revisions in the next version of the manuscript.

read point-by-point responses

  1. Referee: [§4.1] §4.1 (Issuer A experiments): the central claim of deterministic non-adjustment on refunds is load-bearing; the text should explicitly state the number of independent refund cycles tested and whether partial refunds or multi-merchant sequences were included, as these directly affect the attack's generality.

    Authors: We agree that explicit reporting of experimental scope is necessary to support the generality of the deterministic non-adjustment claim. In the revised manuscript we will add the following sentence to §4.1: 'We executed 14 independent refund cycles on Issuer A, encompassing full refunds, partial refunds (ranging from 20% to 80% of the original transaction amount), and sequences involving up to three distinct merchants within the same statement period.' These details were recorded in our experimental logs but omitted for brevity; their inclusion directly addresses the concern about attack generality. revision: yes

  2. Referee: [§5.2] §5.2 (state machine for Issuer F): the timing asymmetry claim relies on immediate redeemability versus statement-close clawback; the transition rules in the model do not explicitly show preservation of the Refund Reward Consistency invariant when a redemption occurs between settlement and statement close, which is required to substantiate the vulnerability class.

    Authors: We accept the observation that the transition rules require augmentation to make the invariant violation explicit. In the revised §5.2 we will insert an additional transition rule labeled 'RedeemBetweenSettlementAndClose' together with a short semi-formal argument showing that this transition violates Refund Reward Consistency (the redeemed amount is not offset by the subsequent negative entry). We will also add a clarifying sentence stating that the invariant is preserved only when redemption is deferred until after statement close, thereby substantiating the timing-asymmetry vulnerability class. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper's central claims derive from direct, controlled experiments on external issuer systems and subsequent formal modeling of the observed behaviors as state machines with invariants. No derivations reduce to fitted parameters, self-defined quantities, or self-citation chains; the taxonomy, invariants, and defensive algorithms are constructed from the documented empirical cases rather than presupposing the target results. External vendor acknowledgment further anchors the observations outside the paper's internal logic.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper relies on standard state machine modeling for reward engines and empirical testing; no free parameters, ad-hoc axioms, or invented entities are introduced.

axioms (1)
  • domain assumption Reward engines can be modeled as state machines with Reward Integrity and Refund Reward Consistency invariants
    Invoked to formalize behaviors and develop defensive algorithms.

pith-pipeline@v0.9.0 · 5605 in / 1029 out tokens · 26176 ms · 2026-05-13T17:12:30.187841+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

37 extracted references · 37 canonical work pages · 1 internal anchor

  1. [1]

    L. C. Harris. Fraudulent consumer returns: ex- ploiting retailers’ return policies.European Jour- nal of Marketing, 44(6):730–747, 2010

    work page 2010

  2. [2]

    M. S. Akturk, M. Ketzenberg, and B. Yıldız. Man- aging consumer returns with technology-enabled countermeasures.Omega, 102:102337, 2021

    work page 2021

  3. [3]

    Ketzenberg, J

    M. Ketzenberg, J. D. Abbey, G. R. Heim, and S. Kumar. Assessing customer return behaviors through data analytics.Journal of Operations Management, 66(6):622–645, 2020

    work page 2020

  4. [4]

    Liu and F

    H. Liu and F. Du. Research on e-commerce platforms’ return policies considering con- sumers abusing return policies.Sustainability, 15(18):13938, 2023

    work page 2023

  5. [5]

    Zhang, R

    D. Zhang, R. Frei, P. Senyo, S. Bayer, E. Gerding, G. Wills, and A. Beck. Understanding fraudulent returns and mitigation strategies in multichannel retailing.Journal of Retailing and Consumer Ser- vices, 70:103145, 2023

    work page 2023

  6. [6]

    R. Frei, L. Jack, and S. Brown. Product re- turns: a growing problem for business, society and environment.International Journal of Oper- ations&Production Management, 40(10):1613– 1621, 2020

    work page 2020

  7. [7]

    R. Frei, D. Zhang, S. Bayer, P. Senyo, E. Gerding, G. Wills, and A. Beck. The impact of COVID- 19 on product returns management in multichan- nel retail.Available at SSRN 4503184 (2023)

    work page 2023

  8. [8]

    E. F. Merlano, R. Frei, D. Zhang, E. Murzacheva, and S. Wood. Consumer perspectives on inter- ventions to combat fraudulent product returns in omnichannel fashion retail.International Journal of Physical Distribution&Logistics Management, 54(10):969–1001, 2024

    work page 2024

  9. [9]

    von Zahn, K

    M. von Zahn, K. Bauer, C. Mihale-Wilson, J. Jagow, M. Speicher, and O. Hinz. The smart green nudge: reducing product returns through en- riched digital footprints & causal machine learn- ing. No. 363.SAFE Working Paper, 2022

    work page 2022

  10. [10]

    V . A. Vieira, R. Agnihotri, M. I. S. de Almeida, and E. L. Lopes. How cashback strategies yield financial benefits for retailers: The mediating role of consumers’ program loyalty.Journal of Busi- ness Research, vol. 141, pp. 200–212, 2022

    work page 2022

  11. [11]

    Ghosh, R

    S. Ghosh, R. Anand, T. Bhowmik, and S. Chan- drashekhar. GoSage: Heterogeneous graph neural network using hierarchical attention for collusion fraud detection. InProceedings of the 4th ACM International Conference on AI in Finance, 2023, pp. 185–192

    work page 2023

  12. [12]

    S. N. Aprisadianti and L. Dwiyanti. Promotion abuse fraud detection application development us- ing risk scoring.In 2023 IEEE International Conference on Data and Software Engineering (ICoDSE), 2023, pp. 208–213

    work page 2023

  13. [13]

    S. Li, X. Han, Z. Zhang, M. Hua, S. Gao, Z. Liang, Y . Guo, X. Chen, and D. Li. PromoGuardian: De- tecting promotion abuse fraud with multi-relation fused graph neural networks.arXiv preprint arXiv:2510.12652, 2025

    work page arXiv 2025

  14. [14]

    Jiang, L

    H. Jiang, L. Yang, and C. Jin. Managing sales agents and product returns while guarding against fake orders.SSRN, Dec. 2025. [Online]. Available: https://doi.org/10.2139/ssrn.5923462

    work page doi:10.2139/ssrn.5923462 2025

  15. [15]

    Z. Sun, A. Oest, P. Zhang, C. E. Rubio-Medrano, T. Bao, R. Wang, Z. Zhao, Y . Shoshitaishvili, A. Doupé, G.-J. Ahn, and Y . Zhang. Having your cake and eating it: An analysis of Concession- Abuse-as-a-Service. InProceedings of the 30th USENIX Security Symposium, 2021

    work page 2021

  16. [16]

    A. A. Taleizadeh, A. M. Varzi, A. Amjadian, M. Noori-Daryan, and I. Konstantaras. How cash- back strategy affect sale rate under refund and cus- tomers’ credit.Operational Research, 23(1):19, 2023

    work page 2023

  17. [17]

    A. A. Taleizadeh, A. M. Varzi, H. A. Khorshidi, and M. Noori-Daryan. Retail pricing, cashback and refund decisions in a supply chain with e-shop and direct channels.Journal of Revenue and Pric- ing Management, 23(2):140–163, 2024

    work page 2024

  18. [18]

    P. Wu, E. W. T. Ngai, and Y . Wu. Impact of praise cashback strategy: implications for consumers and e-businesses.Production and Operations Man- agement, 32(9):2825–2845, 2023

    work page 2023

  19. [19]

    F. Nabi. Secure business application logic for e-commerce systems.Computers&Security, 24(3):208–217, 2005

    work page 2005

  20. [20]

    F. Nabi. Designing a framework method for secure business application logic integrity in e-commerce systems.International Journal of Network Secu- rity, 12(1):29–41, 2011. 21

    work page 2011

  21. [21]

    Felmetsger, L

    V . Felmetsger, L. Cavedon, C. Kruegel, and G. Vi- gna. Toward automated detection of logic vulnera- bilities in web applications. InProceedings of the 19th USENIX Security Symposium, 2010

    work page 2010

  22. [22]

    Pellegrino and D

    G. Pellegrino and D. Balzarotti. Toward black-box detection of logic flaws in web applications. In Proceedings of the Network and Distributed Sys- tem Security Symposium (NDSS), 2014

    work page 2014

  23. [23]

    W. Yu, L. Liu, X. Wang, O. Bagdasar, and J. Panneerselvam. Modeling and analyzing logic vulnerabilities of E-Commerce systems at the de- sign phase.IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 53, no. 12, pp. 7719–7731, Aug. 2023

    work page 2023

  24. [24]

    Y . Chen, Y . Zhang, Z. Wang, L. Xia, C. Bao, and T. Wei. Devils in the guidance: Predicting logic vulnerabilities in payment syndication ser- vices through automated documentation analysis. InProceedings of the 28th USENIX Security Sym- posium, , 2019

    work page 2019

  25. [25]

    R. Wang, S. Chen, X. Wang, and S. Qadeer. How to shop for free online: Security analysis of cashier-as-a-service based web stores. InProceed- ings of the IEEE Symposium on Security and Pri- vacy, pages 465–480, 2011

    work page 2011

  26. [26]

    Ghorbansadeh and H

    M. Ghorbansadeh and H. R. Shahriari. Detecting application logic vulnerabilities via finding incom- patibility between application design and imple- mentation.IET Software, 14(4):377–388, 2020

    work page 2020

  27. [27]

    Y . Sun, D. Wu, Y . Xue, H. Liu, H. Wang, Z. Xu, X. Xie, and Y . Liu. GPTScan: Detecting logic vulnerabilities in smart contracts by combining GPT with program analysis. InProceedings of the IEEE/ACM 46th International Conference on Soft- ware Engineering, 2024, pp. 1–13

    work page 2024

  28. [28]

    CWE-841: Improper en- forcement of behavioral workflow

    MITRE Corporation. CWE-841: Improper en- forcement of behavioral workflow. [Online]. Available:https://cwe.mitre.org/data/d efinitions/841.html. [Accessed: Apr. 5, 2026]

    work page 2026

  29. [29]

    OW ASP Top 10 for Business Logic Abuse

    OW ASP Foundation. OW ASP Top 10 for Business Logic Abuse. [Online]. Available: https://owasp.org/www-project-top-10- for-business-logic-abuse/. Accessed: Apr. 5, 2026]

    work page 2026

  30. [30]

    Is- sue Spotlight: Credit Card Rewards," Consumer Financial Protection Bureau, May 9, 2024

    Consumer Financial Protection Bureau. Is- sue Spotlight: Credit Card Rewards," Consumer Financial Protection Bureau, May 9, 2024. [Online]. Available: https://www.consumerfinance.gov/data -research/research-reports/issue-spo tlight-rewards-credit-card-programs/. [Accessed: Apr. 5, 2026]

    work page 2024

  31. [31]

    G. Chu, J. Wang, Q. Qi, H. Sun, S. Tao, H. Yang, J. Liao, and Z. Han. Exploiting spatial-temporal behavior patterns for fraud detection in telecom networks.IEEE Transactions on Dependable and Secure Computing, 20(6):4564–4577, 2023

    work page 2023

  32. [32]

    Wang and H

    C. Wang and H. Zhu. Representing fine-grained co-occurrences for behavior-based fraud detection in online payment services.IEEE Transactions on Dependable and Secure Computing, 19(1):301– 315, 2022

    work page 2022

  33. [33]

    and Srivastava, S

    A. Srivastava, A. Kundu, S. Sural, and A. Ma- jumdar. Credit card fraud detection using hidden Markov model.IEEE Transactions on Dependable and Secure Computing, 5(1):37–48, 2008

    work page internal anchor Pith review 2008

  34. [34]

    Van Goethem, C

    T. Van Goethem, C. Peeters, W. Joosen, and N. Nikiforakis. Timeless timing attacks: Exploit- ing concurrency to leak secrets over remote con- nections. InProceedings of the 29th USENIX Se- curity Symposium, pages 1985–2002, 2020

    work page 1985

  35. [35]

    S. Du, M. Zhao, J. Hua, H. Zhang, X. Chen, Z. Qian, and S. Zhong. Who moves my app pro- motion investment? A systematic study about app distribution fraud.IEEE Transactions on Depend- able and Secure Computing, 19(4), 2022

    work page 2022

  36. [36]

    Bitaab, H

    M. Bitaab, H. Cho, A. Oest, Z. Lyu, W. Wang, J. Abraham, R. Wang, T. Bao, Y . Shoshitaishvili, and A. Doupé. Beyond Phish: Toward detecting fraudulent e-commerce websites at scale. InPro- ceedings of the 44th IEEE Symposium on Security and Privacy, pages 2566–2583, 2023

    work page 2023

  37. [37]

    Bitaab, A

    M. Bitaab, A. Karimi, Z. Lyu, A. Oest, D. Kuch- hal, M. Saad, G.-J. Ahn, R. Wang, T. Bao, Y . Shoshitaishvili, and A. Doupé. ScamMagnifier: Piercing the veil of fraudulent shopping website campaigns. InProceedings of the Network and Distributed System Security Symposium (NDSS), 2025. 22

    work page 2025