All oracles lack staleness checks

`TaxTokensReceipt` used as collateral always leads to loss of funds due to custom `transferFrom()` limitations

Custom `transferFrom()` in `TaxTokensReceipt` makes it impossible to use limit orders for FoT tokens' NFRs

`updateFunds()` function in `DebitaIncentives` contract skips potentially valid token pairs

`addFunds()` can be called on an inactive lend order leading to deleted lend offer still being usable for matching

When extending a loan `missingBorrowFee` will always be larger than it should be due to incorrect implementation

Short loans with <5 day duration cannot be extended due to incorrect logic

Incentives can be stolen by using flash loans to borrow huge amounts dominating the rewards pool

Transferring FoT tokens is not supported in `Auction` leading to loss of funds for lenders due to insufficient funds for `claimCollateralAsLender()` call

Calling `changePerpetual()` can result in `deleteOrder()` being called, but failling to disactivate the order.

Insufficient `addToPosition` access control allows anyone to call it

`harvestPositionTo()` function does not enforce the lsNFT's owner to be a contract as expected

Lack of support for weird ERC20s in the MasterChef contract

Incorrect `_teamEmissions` calculation in Minter

Vultisig whitelisting can be bypassed by anyone

Availability of deposit invariant can be bypassed

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

Incorrect deployment / missing contract will break functionality

Unauthorized Access to setCurves Function

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

Incorrect calculation of amount of EURO to burn during liquidation