updateParticipation currency and requested token variable mismatch causes accounting issues

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

User can earn rewards by frontrunning the new rewards accumulation in Ron staking without actually delegating his tokens

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Some tokens can not be used as token/USD pair does not exist on chainlink for them

USDC blacklisting blocks bidding

coupon shares are accounted for failed auctions leads to inconsistent coupon distributions

generateOrderId generates duplicate ids leading to fund loss

OracleLess fillOrder reentrancy can delete victim's pending orders

Market funds accounting error in buyVotes

lz_receive can be called with any user account to steal from users

token accounts are not verified against token_hash

Borrowers might not be able to repay loan due to USDC blacklisting

Claim's protocol fee can be stolen due to missing limit on referral fee and no constraint on referrer address

`cancelRaffle` function lacks validation

`cancelRaffle` function can be used to grief protocol

Link token can be used as prize to prevent users from getting their prize

Number of entities in generation can surpass the 10k number

Users' ability to nuke will be DoSed for three days after putting NFTs up for sale and cancelling the sale

Incorrect check against golden entropy value in the first two batches

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

Invalid validation allows users to unlock early

in `farmPlots()` an underflow in edge case leading to freeze of funds (NFT)

Invalid validation in _farmPlots function allowing a malicious user repeated farming without locked funds

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

Invalid validation allows users to unlock early

in `farmPlots()` an underflow in edge case leading to freeze of funds (NFT)

Invalid validation in _farmPlots function allowing a malicious user repeated farming without locked funds

Incorrect withdraw queue balance in TVL calculation

Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swaps

Incorrect calculation of queued withdrawals can deflate TVL and increase ezETH mint rate

Deposits will always revert if the amount being deposited is less than the bufferToFill value

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

Balancer flashloan contract can be DOSed completely by sending 1 wei to it

`depositQueue.queue` in `AccountingManager` can be flooded causing a DoS

Mint referrer gets collection referrer's share

Referrers can DoS minting

refunding excess ETH does not work properly

DoS adding liquidity

_cancelAllBids does not check if bid is the highest

Owner of a position can prevent liquidation due to the 'onERC721Received' callback

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

Can mint NFT with the desired attributes by reverting transaction

depositETHIntoMultipleRounds lets users deposit 0 ether leading to losses by participation