Auction cannot end.

A bad actor can force an auction to fail with `FAILED_POOL_SALE_LIMIT`

Multicall does not work as intended

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

Player can mint more fighter NFTs during claim of rewards by leveraging reentrancy on the `claimRewards() function `

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

Can mint NFT with the desired attributes by reverting transaction

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Fighter created by mintFromMergingPool can have arbitrary weight and element

Leverage NFT position token can be unlocked while having a pending leverageAdjust or leverageClose order.

Incorrect accounting of marginDepositedTotal

Users could gain a lot of points by wash trading.

Offchain oracle price failure is handled incorrectly

TWAP oracle can be easily manipulated

Users can mint or burn too much tokens.

The userGaugeProfitIndex is not set correctly, allowing an attacker to receive rewards without waiting

Anyone can steal all distributed rewards

Replay attack to suddenly offboard the re-onboarded lending term

Anyone can prolong the time for the rewards to get distributed

Malicious borrower can decrease Guild holders reward

Single host can unfairly skip veto period for proposal that does not have full host support

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Attacker can reenter to mint all the collection supply

On a Linear or Exponential Descending Sale Model, a user that mint on the last `block.timestamp` mint at an unexpected price.

Auction payout goes to AuctionDemo contract owner, not the token owner

Users can self-follow via `FollowNFT::tryMigrate()` on Lens V2

Inconsistent encoding of arrays in `MetaTxLib`

Position NFT can be spammed with insignificant positions by anyone until rewards DoS

It is impossible to slash queued withdrawals that contain a malicious strategy due to a misplacement of the ++i increment

Bidder can trick lender into accepting less collateral then agreed

Lender can "steal" the borrowers tokens if they are approved to CollateralManager

Tokens with fee on transfer wont' work