I would absolutely expect hacking/duping/bottling/gold farming/selling etc to be an issue with this game. It may be minimized early on due to the game's small size and minimal exposure, but as (or IF) the game gains an audience, these issues will increase drastically.
Two of the things I learned from policing that type of thing in VG were:
1. If you go through a third-party publisher that handles payments, it prevents you from effectively combating fraud.
2. If you want to be able to monitor and prevent hacking/fraud, you need to build tools into the game that enable your team to effectively do so from the ground up.
SOE published VG and handled CC payments, etc. They did a few things that really screwed us, like sending out thousands of free trial accounts (this might have been approved by someone at SGO, but if so we never found out who). Those trial accounts were immediately used by hackers/gold spammers to exploit the system. At that point, banning accounts became relatively pointless in most cases because the offenders would simply use another trial account. The silver lining was that even the trial accounts required a valid credit card, so if we banned credit cards instead of accounts, we could have been way more effective. That's when we ran into the second brick wall: SOE refused to give us any info regarding CC subscribers. We said, Ok, don't give us the info directly, but can you at least take an account name we give you and ban the CC linked to the account and all other accounts linked to that CC. I'm sure you can guess what the answer was.
The other end of it is that we constantly found ourselves needing tools to detect duping and bug exploitation. A tool that tracked the acquisition of resources like gold would have done wonders to prevent duping, to use just one example. While we did get some limited help with that type of thing from the programmers and database guy (there was really only one), they were all way too busy to try and implement some type of detection system in the game post-launch. Had that type of thing been anticipated from the beginning, it would have been much easier to build fraud detection measures into the system instead of trying to tack them on live.
Anyway, live and learn, but I imagine the Pantheon team would benefit from considering this type of thing as early as possible.