[full writeup](https://blog.puddle.sg/write-ups/2021-11-29-CyberSecurityRumble-CTF-2021)
Solution:
Create a new account named `x` on the payback site.
On the payment site however, we create an account with username `xamount1337`. We then purchase 0 coins with this payment account.
We then modify the callback url from
`/callback?user=xamount1337&amount=0&nonce=1&signature=somesignature`
to
`/callback?user=x&amount=1337&amount=0&nonce=1&signature=somesignature`.

We can now purchase the flag as user x.