Anyone can prevent the winner of the raffle from claiming their prize.

Due to improper access control and an incorrect validation check, anyone can cancel a raffle with the status `PRIZE_LOCKED`

Inability to Revoke User Permissions in Roles Contract

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

Griefing attack on seller's airdrop benefits

Pause and unpause functions are inaccessible

[H-01] Miscalculation in `_farmPlots` function could lead to a user unable to unstake all NFTs

Due to the use of `msg.value` in for loop, anyone can drain all the funds from the `THORChain_Router` contract

[M-02] Incorrect call argument in `THORChain_Router::_transferOutAndCallV5`, leading to grief/steal of `THORChain_Aggregator`'s funds or DoS

When `LockManager.lockOnBehalf` is called from `MigrationManager`, the user's `reminder` will be set to 0, resulting in fewer received `MunchableNFTs`

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

`NoyaValueOracle.getValue` returns an incorrect price when a multi-token route is used

The total deposit amount limit in `AccountingManager.sol` can be bypassed

AccountingManager has no correct implementations of the core ERC-4626 functions `deposit`, `mint`, `withdraw` and `redeem`

`Keepers` does not implement EIP712 correctly on multiple occasions

First depositor can make subsequent depositor lose all of her or his deposit

Dust donation might DOS all connectors to create new holding positions, by preventing removing existing holding positions

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

Minter / Staker / Spender roles can never be revoked`..,

Unauthorized Access to setCurves Function

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

Rewards can be drained because of lack of access control

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

Missing deadline check allow pending transactions to be maliciously executed

Fees are hardcoded to 3000 in ExactInputSingleParams

`costInEuros` calculation will incur precision loss due to division before multiplication

Anyone with TST tokens can monitor the mempool and frontrun mint/burn functions to get EUROs rewards without even staking.

Attacker can reenter to mint all the collection supply

The RandomizerVRF and RandomizerRNG not produce hash value.

Lack of essential stale check in oracleCircuitBreaker()

Precision loss/Rounding to Zero in `_distribute()`

Sandwich attack to steal all ERC-20 tokens in the Fees contract

[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control

Using forged/fake lending pools to steal any loan opening for auction

Stealing any loan opening for auction through others' lending pool

Attacker can steal a loan's collateral and break the protocol

Fee on transfer tokens will cause users to lose funds

`Lender` does not handle correctly rebasing, inflationary, deflationary tokens and tokens with fee on transfer

No expiration deadline leads to losing a lot of funds

Multiple accesses of a mapping/array should use a local variable cache.

CEI pattern not followed in multiple functions in Staking.sol

Incorrect hardcoded addresses in the oracles constructors

Chainlink's latestRoundData return stale or incorrect result

Use safeMint instead of mint in the FootiumClub contract

Code does not handle ERC20 tokens with special transfer implementation