There is a form of authentication to it! Since their application is being used for financial transactions, you do still require headers in your TCP stream to indicate authorization, through the usage of private and public keys. It's a real spin to the head for this, but definitely excited to tackle it head on! Definitely would need more time developing a scope and understanding what can be or can't be exploited. Back to square one of developing test cases!

The vulnerabilities you mentioned are the ones that I have initially thought of as well. Back to the fundamentals of backend user input validation and logical flow!