Treasury Contract Deposit Function Can Be Frontrun To Deny Protocol Operations

Users can claim more that their actual allotment

Incorrect referral fee calculations

Minting zero tokens when underlyingToken is not Ether in cashIn()

Front-running of `claim(...)` can lead to stealing rewards from investors

Users can't claim multiple times when a distribution happens over multiple epochs

`PhiFactory:claim` Potentially Causing Loss of Funds If `mintFee` Changed Beforehand

Contract `PhiNFT1155` can't be paused

Attacker can DOS user from selling shares of a credId

Single plot can be occupied by multiple renters

Due to the use of `msg.value` in for loop, anyone can drain all the funds from the `THORChain_Router` contract

[M-02] Incorrect call argument in `THORChain_Router::_transferOutAndCallV5`, leading to grief/steal of `THORChain_Aggregator`'s funds or DoS