There is no refund mechanism in `ChakraSettlement.processCrossChainCallback` or `ChakraSettlementHandler.receive_cross_chain_callback` function

Anyone can manipulate user nonce (nonce_manager) in settlement contract

SettlementSignatureVerifier is missing check for duplicate validator signatures

Does not check if to_chain and to_handler is whitelisted in cross_chain_erc20_settlement

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

User can get their Kerosene stuck because of an invalid check on withdraw

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

No incentive to liquidate small positions could result in protocol going underwater

While creating an Auction, routing information in `lotRouting` is never stored for new `lotId`, instead is overwritten for lotId = 0.

A partially filled capacity lot winner can cause settling of lot to always REVERT if blacklisted.

If an `epoch` is settled from EigenLayer, the epoch is not been updated/increased after settlement.

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

Player can mint more fighter NFTs during claim of rewards by leveraging reentrancy on the `claimRewards() function `