Users collection tokens are stuck in `CollectionShutdown` contract if the shutdown is cancelled after they place their vote

`_listing` mapping not deleted when calling `Listings::reserve` can lead to a token being sold when it shouldn't be for sale

Mismatch of index and array lengths in `ProtectedListings` checkpoint when actions happen at the same timestamp causes an out of bounds array access revert

`CollectionShutdown::execute` does not check all tokens are being pulled from the locker when sunsetting a collection, meaning tokens can end up permanently stuck in the locker contract

Reentrancy Vulnerability Allows Bypass of Cooldown, Leading to Unfair Reward Extraction Through Flash Loan

Signature replay in `signatureClaim` results in unauthorized claiming of rewards

Exposed `_removeCredIdPerAddress` & `_addCredIdPerAddress` allows anyone to cause issues to current holders as well as upcoming ones

Signature replay in `createArt` allows to impersonate artist and steal royalties

Refunds sent to incorrect addresses in certain cases

Lack of data validation when users are claiming their art allows malicious user to bypass signature/merkle hash to provide unapproved `ref_`, `artId_` and `imageURI`

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

Failure to Update Dirty Flag in transferToUnoccupiedPlot Prevents Reward Accumulation On Valid Plot

Malicious user can permanently extend a users LP lock in gauge by calling `OptionTokenV4::exerciseLp` and setting the user as `_recipient`

Malicious User can spam `VotingEscrow::create_lock_for` to DoS a user from creating their own position or delegating their votes

Any fee claim lesser than the total `yieldFeeBalance` as unit of shares is lost and locked in the `PrizeVault` contract

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

Minter / Staker / Spender roles can never be revoked`..,

Can mint NFT with the desired attributes by reverting transaction

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Fighter created by mintFromMergingPool can have arbitrary weight and element

Unauthorized Access to setCurves Function

Single token purchase restriction on curve creation enables sniping

Selling will be bricked if all other tokens are withdrawn to ERC20 token

onBalanceChange causes previously unclaimed rewards to be cleared

Bidder can use donations to get VerbsToken from auction that already ended.

DOS of market operations with malicious offers

Fee inclusivity calculations are inaccurate in RubiconMarket

Calling `ExpiringMarket.stop` and `ExpiringMarket.isClosed` functions cannot pause any functionlities of the market