Inflation of ggAVAX share price by first depositor

node operator is getting slashed for full duration even though rewards are distributed based on a 14 day cycle

MinipoolManager: recordStakingError function does not decrease minipoolCount leading to too high GGP rewards for staker

Users may not be able to redeem their shares due to underflow

State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool

Admin does not have to wait to call `lastResortTimelockOwnerClaimNFT()`

Raffle creator can rug participants

Centralization risks: owner can freeze withdraws and use timelock to steal all funds

The recipient receives free collateral token if an ERC20 token that deducts a fee on transfer used as baseToken

Centralization risk: admin can with rug the project by removing asset and price manipulation on oracle.

NFTFloorOracle's assets will use old prices if added back after removal

Calling `updateNodeRunnerWhitelistStatus` function always reverts

Adding non EOA representative

Reentrancy bug allows lender to steal other lenders funds

Mutual consent cannot be revoked and stays valid forever

address.call{value:x}() should be used instead of payable.transfer()

Buyout cannot be rejected when paused

Missing whenNotPaused modifier

Inconsistency in view functions can lead to users believing they’re due for more BKD rewards

compromised `owner` can drain funds from`VeTokenMinter.sol`

First depositor can break minting of shares

Admin rug vectors

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

Use `call()` instead of `transfer()` when transferring ETH in RubiconRouter