I see no validation of the amount, currency, etc. that was really transferred in the PayPal IPN handler code when the system marks a Pending order as 'Paid'.  Is it really that vulnerable against an exploit when eg. the cart total price is tampered in the browser session, as it seems ? or am I missing something ?  Are we supposed to check the transferred amount at PayPal manually ?