`ChakraSettlement.receive_cross_chain_msg` and `ChakraSettlement.receive_cross_chain_callback` functions do not ensure that receiving `ChakraSettlement` contract's `contract_chain_name` must match `to_chain` corresponding to respective `txid` input though

In Starknet already processed messages can be re-submitted and by anyone

handler's `receive_cross_chain_callback()` will always set the tx_status to `SETTLED` on source chain & burn the tokens (MintBurn Mode) even when the msg fails on destination

Does not check if to_chain and to_handler is whitelisted in cross_chain_erc20_settlement

When malicious behavior occurs and DSS requests slashing against vault during 2 day period after `SLASHING_WINDOW` of 7 days is passed after staker initiates a withdrawal, token amount to be slashed is calculated to be higher than what it should be

User may lose funds when creating Nexus account or executing user operations

ThorChain will be informed wrongly about the unsuccessful ETH transfers due to the incorrect events emissions

Due to the use of `msg.value` in for loop, anyone can drain all the funds from the `THORChain_Router` contract

[M-02] Incorrect call argument in `THORChain_Router::_transferOutAndCallV5`, leading to grief/steal of `THORChain_Aggregator`'s funds or DoS

Deposits will always revert if the amount being deposited is less than the bufferToFill value

Lack of slippage and deadline during withdraw and deposit

Wormhole Consistency Levels set to zero in the publishMessage

DecentEthRouter.sol#_bridgeWithPayload() - Any refunded ETH (native token) will be refunded to the DecentBridgeAdapter, making them stuck

Lack of slippage control on LRTDepositPool.depositAsset

Single host can unfairly skip veto period for proposal that does not have full host support

Message channels can be blocked resulting in DoS

Insufficient support for Fee-on-Transfer Tokens which will result in computation inconsistencies.

`XOracle.putPrice()` Can Fall Victim to Front-running Attacks: Attackers Can Make Quick Profits, while Users Can Avoid Loss and even Turn the Potential Loss into Profits.

StableOracleWBTC uses the wrong address for the WBTC/USD oracle

`mintRebalancer()` & `burnRebalancer()` are `onlyBalancer` modifier. An Attacker can manipulate USSD's `totalSupply()`

Improper validation of the Chainlink Oracle priceFeed function can result in zero or stale prices.

ERC20 return values not checked