Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

Attacker can front-run claim transactions and steal KYC-ed users' reward

Users that claim before the distribution end block will lose the rest of their rewards

`FjordAuction` incorrect `block.timestamp` check allows users to bid after calling `auctionEnd` to claim more tokens than they should

[H-01] Auction tokens will be lost forever when auction ends without bids

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

The maximum number of generations is infinite

Wrong minting logic based on total token count across generations

A dev will lose rewards if after claiming his rewards he mints an NFT

Forger Entities can forge more times than intended

Pause and unpause functions are inaccessible

Lack of ability to make an some external function calls makes the DAO stage unreachable.

Incorrect check against golden entropy value in the first two batches

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

User can get their Kerosene stuck because of an invalid check on withdraw

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

No incentive to liquidate small positions could result in protocol going underwater

Incorrect deployment / missing contract will break functionality

Any fee claim lesser than the total `yieldFeeBalance` as unit of shares is lost and locked in the `PrizeVault` contract

Holders array can be manipulated by transferring or burning with amount 0, stealing rewards or bricking certain functions

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

Fighter created by mintFromMergingPool can have arbitrary weight and element

User can evade `liquidation` by depositing the minimum of tokens and gain time to not be liquidated

Rewards can be drained because of lack of access control

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

Missing deadline check allow pending transactions to be maliciously executed

Incorrect amounts of ETH are transferred to the DAO treasury in `ERC20TokenEmitter::buyToken()`, causing a value leak in every transaction

Multiple mints can brick any form of `salesOption` 3 mintings

Adversary can block `claimAuction()` due to push-strategy to transfer assets to multiple bidders

`ODSafeManager#allowSAFE()` cannot be executed either by the proxy contract or any other address.

Unhandled chainlink revert in case its multisigs block access to price feeds

During refinance() new Pool balance debt is subtracted twice

[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control

Using forged/fake lending pools to steal any loan opening for auction

Zero address leads to transaction reverts

Buying a loan always reverts at the start of an auction

Multiple accesses of a mapping/array should use a local variable cache.

Liquidation Is Prevented Due To Strict Implementation of Liqudation Bonus

Zero address check for tokens