Missing access control on UTB:receiveFromBridge allows UTB swaps to be executed without spending bridge fees while bypassing fee/swap instruction signature verification

Founders can receive less tokens that expected

Truncation in casting can lead to a founder receiving all the base tokens

Someone can create non-liquidatable auction if the collateral asset fails on transferring to address(0)

`fee` can change without the consent of users

Overpayment of native ETH is not refunded to buyer

`_transferNFTs()` succeeds even if no transfer is performed

InfinityExchange computes gas refunds in a way where the first order's buyer pays less than the later ones

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

`createVault()` does not confirm whether `tokenType` and `token`’s type are the same

Use safeTransferFrom instead of transferFrom for ERC721 transfers

Owner can set the feeRate to be greater than 100% and cause all future calls to `exercise` to revert

The return value `success` of the get function of the INFTOracle interface is not checked

_revokeRole doesn't remove account from roleMember set

`call()` should be used instead of `transfer()` on an `address payable`