A malicious user can participate in a round with zero value and steal the winner position from the prior participant

Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale

onBalanceChange causes previously unclaimed rewards to be cleared

User can claim all of vested amount between initialReleasePeriod and cliff

Incorrect amounts of ETH are transferred to the DAO treasury in `ERC20TokenEmitter::buyToken()`, causing a value leak in every transaction

Once EntropyRateBps is set too high, can lead to denial-of-service (DoS) due to an invalid ETH amount

Users will lose rewards when buying new tokens if they already own some tokens

Auction payout goes to AuctionDemo contract owner, not the token owner

Borrower can drain all funds of a sanctioned lender