From what I've read in your codebase I think you're "only" validating that the returned events have correct fields and verify the sig but nothing else. It'd be nice to get a confirmation that this is the case.