Incentive accumulation can be sandwiched with additional shares to gain advantage over long-term depositors

Limited availability of `balance_of(...)` method

Bonds created in year cross epoch's can lead to lost payouts

Incorrect decimal usage in score calculation leads to reduced user reward earnings

All tokens can be stolen from `VirtualAccount` due to missing access modifier

Change of `fundingDuration` causes "time travel" of `PerpetualAtlanticVault.nextFundingPaymentTimestamp()`

SecurityCouncilNomineeElectionGovernor might have to wait for more than 6 months to create election again

Rewards can be drained due to incorrect handling of `userRewardPerTokenPaid` accounting

LiquidationRow.liquidateVaultsForToken(...) will always revert due to missing token transfers

Insufficient support for tokens with different decimals on different chains lead to loss of funds on cross-chain bridging

Tokens can be stolen from other users who have approved Magnetar

User can give himself approval for all assets held by `MagnetarV2` contract

`MagnetarV2#burst` double counts `msg.value` for `TOFT_WRAP` operation, making the transaction revert unless the user overpays

`UlyssesToken` asset ID accounting error

Multiple issues with decimal scaling will cause incorrect accounting of hTokens and underlying tokens

`UlyssesToken.setWeights(...)` can cause user loss of assets on vault deposits/withdrawals

Unstaking `vMAIA` tokens on the first Tuesday of the month can be offset

Claiming outstanding utility tokens from `vMaia` vault DoS on `pbHermes<>bHermes` conversion rate > 1

Maia Governance token balance dilution in `vMaia` vault is breaking the conversion rate mechanism

`RootBridgeAgent.redeemSettlement` can be front-run using `RootBridgeAgent.retrySettlement` causing redeem DoS

Claiming accumulated rewards while the contract is underfunded can lead to a loss of rewards

Position NFT can be spammed with insignificant positions by anyone until rewards DoS

Slot and block number proofs not required for verification of withdrawal (multiple withdrawals possible)

PrivatePool owner can steal all ERC20 and NFT from user via arbitrary execution

`Factory.create`: Predictability of pool address creates multiple issues.

Reward accounting is incorrect in BathBuddy contract

updateStrategyAllocBPS() can cause loss of ActivePool's collateral during an emergency exit