Wrong handling of call data check indices, forcing it sometimes to revert

Gas griefing/attack via creating the proposals

[High][Flow] `reconcileSignerCount` is not updating the safe threshold correctly

[High][Flow]`createHat` allows creation of hats without intermediary, which can lead to hats getting completely overwritten in the future

[Medium][Gas/Stack Management] Recursive functions are used regularly and can increase gas usage quadratically or might face stack too deep

[Medium][Outdated State] `setThreshold` functions are not using an updated `SignerCount` and might set the threshold on safe incorrectly

[Medium][Outdated State] `_removeSigner` incorrectly updates `signerCount` and safe `threshold`

Protection buyers can buy/renew many protections for a single underlying position

There is a profitable Arbitrage path for users that incentivizes a secondary market on top of the protection pool to bypass the 2 cycle withdrawal delay

If a `lendingPool` is added to the network while in `late` state, can be defaulted instantly

When purchasing a protection, `_verifyLendingPoolIsActive` processes data based on an outdated version of `defaultStateManager`

Economical games that can be played to gain MEV

`relayMessage` may call the target functions with less gas than was anticipated by its sender

Proposer can submit a faulty proof on L1 and avoid transactions from getting finalized on-chain

It is possible to inject `roll` transactions between `clear` and `toggleRoll`

`collateralFor` does not calculate the collateral correctly.

Payment function can cause desync between `collateral` and the `amount`