JavaScript

How to correctly confirm payments on nodejs?

Good day.
What do we have. Back - nodejs, Front - Vuejs.
Task: Confirm successful user transactions on the nodejs server.

Actually before history.
We have a client-server application, a mini shop for cosmetics and various household goods.
The front is written in vuejs.
Client authentication/authorization using Passport.js JWT token.
Actually, in terms of payment confirmation of payments, we failed. We were hacked and it is not clear how they learned to replenish their balance, in the personal account there is a withdrawal of part of the funds when buying from the N-amount.
How everything was arranged.
On the Front, a person in the personal account went to the point to replenish the account, chose the payment system. After payment, went to pay.
At the moment, a record was created on the back in the database with the fields status - false and summ - N. Transaction ID.
Transactions were confirmed through the payment API, cron worked every minute. and checked by the transaction ID whether it was paid, and whether the validity period has expired. If the API returned true for the success field, then the transaction was closed and the user received a balance.
This entire algorithm turned out to be vulnerable, and was compromised.
Actually the question is how and with the help of what tools to implement this in a more or less safe form.
Such a moment is the only thing that we managed to find out that the vulnerability was used without front-end. That is, only if there is a backing, and most likely the base was not broken.

The first actions that come to mind are to connect encryption to the transmitted user data from the front.
Implement some mechanism for storing SC in user cookies, and only if it is available, create a transaction.
Again, when checking a transaction, having only fields from the success expired API, what can you think of?