There is no refund mechanism in `ChakraSettlement.processCrossChainCallback` or `ChakraSettlementHandler.receive_cross_chain_callback` function

Exposed `_removeCredIdPerAddress` & `_addCredIdPerAddress` allows anyone to cause issues to current holders as well as upcoming ones

WhenNotPaused modifier in the CDPVault can be bypassed by users

All tokens can be stolen from `VirtualAccount` due to missing access modifier

Using tokens with a transfer fee may result in the loss of funds of recent users

Admin can't burn tokens from blocklisted addresses because of a check in _beforeTokenTransfer

TWO DIFFERENT TRANSACTIONS CAN RESULT IN THE SAME `txnHash` VALUE THUS BREAKING THE APPROVAL PROCESS OF TRANSACTION MINTING

The RdpxV2Core contract allows anyone to call redeem tokens even if the contract is paused.

Can not withdraw RDPX if WETH withdrawn is zero

A malicious early depositor can manipulate the `LP-Token` price per share to take an unfair share of future user deposits

Attacker can frontrun deployVault to deploy at the same address

`drawManager` CAN BE SET TO A MALICIOUS ADDRESS

boreWell can be frontrun/DoS-d

`stakerewardV2pool.withdraw()` should check the user's boost lock status.