Heart will stop if all rewards are swept

Inconsistant parameter requirements between `constructor()` and `Set() functions` in `RANGE.sol` and `Operator.sol`.

[NAZ-M1] Chainlink's `latestRoundData` Might Return Stale Results

Heart::beat() could be called several times in one block if no one called it for a some time

Possible to bypass saleConfig.limitPerAccount

VaultTracker has the wrong admin

Malicious Token Contracts May Lead To Locking Orders

Lack of sanity check on _initialTokenSupply and _initialTokenPrice can lead to a seller losing his NFT

Allowance check always true in ERC5095 redeem

Illuminate PT redeeming allows for burning from other accounts

Users are able to front-run bad debt settlements to avoid insurance costs

LockeERC20 is vulnerable to frontrun attack

Unlock: free UDT arbitrage opportunity

debtWriteOff updates totalFrozen immaturely, thereby losing staker rewards

UserManager: totalStaked ≥ totalFrozen should be checked before and after totalFrozen is updated

Wrong implementation of `CreditLimitByMedian.sol#getLockedAmount()` will lock a much bigger total amount of staked tokens than expected

Swivel: Taker is charged fees twice in exitVaultFillingVaultInitiate

Swivel: implementation for initiateZcTokenFillingZcTokenExit is incorrect

Previously created markets can be overwritten

Reentrancy in settleAuction(): malicious publisher can bypass index timelock mechanism, inject malicious index, and rug the basket

licenseFee can be greater than BASE

Fee calculation is potentially incorrect

Use safeTransfer instead of transfer

Fee on transfer tokens can lead to incorrect approval

Unsafe approve would halt the auction and burn the bond

Vault treats all tokens exactly the same that creates (huge) arbitrage opportunities.