Malicious user could intentionally deprive users of the protocol from receiving rewards by staking "dust amounts"

When the contracts are initially deployed, excess amount of rewards could be minted

Treasury Contract Deposit Function Can Be Frontrun To Deny Protocol Operations

Users can claim more that their actual allotment

Incorrect referral fee calculations

Minting zero tokens when underlyingToken is not Ether in cashIn()

Front-running of `claim(...)` can lead to stealing rewards from investors

Users can't claim multiple times when a distribution happens over multiple epochs

`PhiFactory:claim` Potentially Causing Loss of Funds If `mintFee` Changed Beforehand

Contract `PhiNFT1155` can't be paused

Attacker can DOS user from selling shares of a credId

Single plot can be occupied by multiple renters

Due to the use of `msg.value` in for loop, anyone can drain all the funds from the `THORChain_Router` contract

[M-02] Incorrect call argument in `THORChain_Router::_transferOutAndCallV5`, leading to grief/steal of `THORChain_Aggregator`'s funds or DoS