diff --git a/core/signals.py b/core/signals.py
index a6486047..a8a3945e 100644
--- a/core/signals.py
+++ b/core/signals.py
@@ -53,7 +53,7 @@ def create_wishlist_on_user_creation_signal(instance: User, created: bool, **kwa
 @receiver(post_save, sender=User)
 def create_promocode_on_user_referring(instance: User, created: bool, **kwargs: dict[Any, Any]) -> None:
     try:
-        if not instance.attributes:
+        if type(instance.attributes) is not dict:
             instance.attributes = {}
             instance.save()
 
diff --git a/core/viewsets.py b/core/viewsets.py
index 1fb12e6b..12a463ca 100644
--- a/core/viewsets.py
+++ b/core/viewsets.py
@@ -716,8 +716,8 @@ class OrderViewSet(EvibesViewSet):
     def add_order_product(self, request: Request, *args, **kwargs) -> Response:
         serializer = AddOrderProductSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)
-        order = self.get_object()
         try:
+            order = self.get_object()
             if not (request.user.has_perm("core.add_orderproduct") or request.user == order.user):
                 raise PermissionDenied(permission_denied_message)
 
@@ -726,15 +726,17 @@ class OrderViewSet(EvibesViewSet):
                 attributes=format_attributes(serializer.validated_data.get("attributes")),
             )
             return Response(status=status.HTTP_200_OK, data=OrderDetailSerializer(order).data)
-        except Order.DoesNotExist:
-            return Response(status=status.HTTP_404_NOT_FOUND)
+        except Order.DoesNotExist as dne:
+            return Response(status=status.HTTP_404_NOT_FOUND, data={"detail": str(dne)})
+        except ValueError as ve:
+            return Response(status=status.HTTP_400_BAD_REQUEST, data={"detail": str(ve)})
 
     @action(detail=True, methods=["post"], url_path="remove_order_product")
     def remove_order_product(self, request: Request, *args, **kwargs) -> Response:
         serializer = RemoveOrderProductSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)
-        order = self.get_object()
         try:
+            order = self.get_object()
             if not (request.user.has_perm("core.delete_orderproduct") or request.user == order.user):
                 raise PermissionDenied(permission_denied_message)
 
@@ -743,8 +745,10 @@ class OrderViewSet(EvibesViewSet):
                 attributes=format_attributes(serializer.validated_data.get("attributes")),
             )
             return Response(status=status.HTTP_200_OK, data=OrderDetailSerializer(order).data)
-        except Order.DoesNotExist:
-            return Response(status=status.HTTP_404_NOT_FOUND)
+        except Order.DoesNotExist as dne:
+            return Response(status=status.HTTP_404_NOT_FOUND, data={"detail": str(dne)})
+        except ValueError as ve:
+            return Response(status=status.HTTP_400_BAD_REQUEST, data={"detail": str(ve)})
 
     @action(detail=True, methods=["post"], url_path="bulk_add_order_products")
     def bulk_add_order_products(self, request: Request, *args, **kwargs) -> Response:
@@ -760,15 +764,18 @@ class OrderViewSet(EvibesViewSet):
                 products=serializer.validated_data.get("products"),
             )
             return Response(status=status.HTTP_200_OK, data=OrderDetailSerializer(order).data)
-        except Order.DoesNotExist:
-            return Response(status=status.HTTP_404_NOT_FOUND)
+        except Order.DoesNotExist as dne:
+            return Response(status=status.HTTP_404_NOT_FOUND, data={"detail": str(dne)})
+        except ValueError as ve:
+            return Response(status=status.HTTP_400_BAD_REQUEST, data={"detail": str(ve)})
+
 
     @action(detail=True, methods=["post"], url_path="bulk_remove_order_products")
     def bulk_remove_order_products(self, request: Request, *args, **kwargs) -> Response:
         serializer = BulkRemoveOrderProductsSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)
-        order = self.get_object()
         try:
+            order = self.get_object()
             if not (request.user.has_perm("core.delete_orderproduct") or request.user == order.user):
                 raise PermissionDenied(permission_denied_message)
 
@@ -776,8 +783,10 @@ class OrderViewSet(EvibesViewSet):
                 products=serializer.validated_data.get("products"),
             )
             return Response(status=status.HTTP_200_OK, data=OrderDetailSerializer(order).data)
-        except Order.DoesNotExist:
-            return Response(status=status.HTTP_404_NOT_FOUND)
+        except Order.DoesNotExist as dne:
+            return Response(status=status.HTTP_404_NOT_FOUND, data={"detail": str(dne)})
+        except ValueError as ve:
+            return Response(status=status.HTTP_400_BAD_REQUEST, data={"detail": str(ve)})
 
 
 # noinspection PyUnusedLocal