If another user attempts to spend your funds, for example, a hacker, they must also know your pin.
If PIN will be the only protection, then what about bruteforcing it? In case of centralized systems, there is a limit of how many times you can try it. So, what does it mean in your system? Is it possible to attack random users, and block their accounts, just by endlessly trying invalid PINs on their accounts
This is a good point. I thought about this as well. I would propose that if the user fails to get the correct pin after 3 tries their should be some delay. I thought about adding a 30 minute waiting period before you can try again.
Can you imagine standing at the checkout line with your stuff and you accidently put in the wrong pin three times and then have to wait 30 minutes to try again? The people waiting in line behind you might not put up with it.