at the end of the day you have to trust the zapper anyways, verification of the bolt11 just makes faking the zap slightly harder but not impossible
Discussion
yeah, zap verification always seemed like a lot of work for not much gain against real bad actors
Should I log your initial missing payment_hash for Primal team nostr:npub1xdtducdnjerex88gkg2qk2atsdlqsyxqaag4h05jmcpyspqt30wscmntxy ?
Maybe a table for "Zap verification" across clients, with problematic cases in comments? My guess is many clients do very little of it, and if they eventually start doing it they might stumble on the same issues.