You are a bit vulnerable because you are not checking that the entire receipt is signed and has been sent to you from Apple not from some hacker. But the good news is that there is no way the hacker can know what the device's identifierForVendor is and you check that to be sure it is correct. That is except if you have more than one IAP then the hacker can grab the first receipt, decode it and then send a new receipt into the device. It's hard but it can be done.
Look into decoding the new receipt.
I have thought about creating a method of sending receipts directly from the device to a trusted server and using that trusted server to verify receipts on Apple's server. I wonder if there is a need for that service.