LayerZeroEndpoint.send() in L1Sender.sol may revert if the user does not provide enough native gas as specified

Unauthorized Access to setCurves Function

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

Rewards can be drained because of lack of access control

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

Missing deadline check allow pending transactions to be maliciously executed

Chainlinks oracle feeds are not immutable

Lack of events for critical actions

Missing check in `Cooler.provideNewTermsForRoll` which allows lender to modify loan terms

If a winner is blacklisted on any of the tokens they can't receive their funds

Signature missing nonce & expiration deadline

Missing `deadline` param in `swapExactAmountOut()` allowing outdated slippage and allow pending transaction to be executed unexpectedly.

Return value of low level `call` not checked.

[H-01] Lack of emergency withdraw function when no arbiter is set

Rounding error in `WUSDA` can result in loss of user funds, especially when manipulated by an attacker

Reentrancy issue with the 'withdraw' method of USDC. All tokens could be drained.

Missing access control on `mintRebalancer()` and `burnRebalancer()`

Incorrect decimals used in the `getPriceUSD` function which uses Chainlink oracle to fetch real time price.

Chainlink's `latestRoundData` could return stale or incorrect result (and no implemention of try-catch block)

Usage of `transfer()` in place of `safeTransfer()` for ERC20 tokens.