Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

Incorrect Token Amount Tracking in updateParticipation Function

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Minting zero tokens when underlyingToken is not Ether in cashIn()

Inconsistent Fee Calculation Leads to pay user more then intended !

Missing Slippage Protection in Vote Selling

Inadequate Restriction on Compromised Addresses Fails to Protect User Data Integrity

Early Claimers will lose their rewards for the later valid epochs of a distribution and remaining funds will be locked in the contract forever !

Due To The `minWithdrawalAmount` check Users Who Want To Withdraw Wont Be Able To Queue Their Token Withdrawals On Some Amounts

Vultisig whitelisting can be bypassed by anyone

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

Invalid validation allows users to unlock early

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

Auction contract could be paused maliciously !

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Test addresses and incorrect interface in code prevent integration with UniswapV3 and Camelot

Pools will fail to handle fee-on-transfer token accounting accurately

Malicious lender can scam borrower by increasing the interest way too much after loan being issued and take borrower's collateral.

The peg stability module can be compromised by forcing lowerDepeg to revert.

Malicious/Compromised organiser can reclaw all funds, stealing work from supporters

If a winner is blacklisted on any of the tokens they can't receive their funds

Owner can incorrectly pull funds from contests not yet expired

Centralization Risk for trusted organizers

Insufficient validation leads to locking up prize tokens forever

staleCheckLatestRoundData() does not check the status of the Arbitrum sequencer in Chainlink feeds.

Chainlink oracle will return the wrong price if the aggregator hits `minAnswer`

Zero address check for tokens

Pragma isn't specified correctly which can lead to nonfunction/damaged contract when deployed on Arbitrum

High - Funds can be lost if any participant is blacklisted

Constructor of `Escrow` should make sure that `buyer`, `seller`, `arbiter` are different from each other.

Contract Can Be Deployed Without Funds.

There's no functionalities for redeeming DAI for USSD in the contract.