Attacker can steal funds by depositing dummy tokens in Solana vault

Attacker can steal user funds by calling solana_vault::lz_receive with their token accounts

Swap function does not check `woopool_quote` is indeed a quote pool

Attacker can prevent WooFi admin from adding additional base tokens

State changes are overwritten during anchor serialization when two accounts are the same

Missing validations on CCIP parameters in the `WinnablesTicketManager.cancelRaffle` and `propagateRaffleWinner` allows attackers to cause loss of funds

Attacker can cancel raffles before they can be created leading to DoS

Missing updates to `_lockedETH` state variable in the `WinnablesTicketManager.refundPlayer` function lead to loss of funds

Admin can overwrite owner of the winning ticket using integer overflow

WinnablesPrizeManager.setCCIPCounterpart function allows admins to send their own winner messages to the prize manager

The `WinnablesTicket.ownerOf` function might always revert with Out-of-Gas for certain tickets leading to loss of funds

Liquidation fee is charged on the total seized amount instead of the liquidator profit

SuperPool is not ERC4626 compliant

First deposit after rebalancing might receive shares worth of less value