Users can claim more that their actual allotment

Creator of one vesting plan can affect vesting plans created by other users.

LamboFactory can be permanently DoS-ed due to createPair call reversal

Minting zero tokens when underlyingToken is not Ether in cashIn()

Since the cost of launching a new pool is minimal, an attacker can maliciously consume VirtualTokens.

Accumulated ETH in the LamboVEthRouter will be irretrievable

Attacker can captures `VETH-WETH` depeg profits through a malicious pool, rendering rebalancer useless if VETH Price > WETH Price

MEV Bots Can Front-Run Token Claims Due to Missing Sender Validation

Subtraction in `variance()` will revert due to underflow

Potential underflow vulnerability in score range calculation of `LLMOracleCoordinator::finalizeValidation`, leading to DoS.

Request responses and validations can be mocked leading to extraction of fees and/or forcing other generators to lose their fees by making them outliers

Unrestricted validation score range for validators in `LLMOracleCoordinator::validate`.

Users can list assets with price < 1 ERC20 (ETH, WETH), leading to potential DoS vulnerability.

Inaccurate best response selection in `LLMOracleCoordinator::getBestResponse`.

Inconsistent Best Response Selection Due to Missing Tiebreak Mechanism

Excessive Authority Granted to Managers in the `ckr_btc.cairo` Contract Presents Significant Management Risks

`Tokens` Are Automatically Whitelisted Upon Creation And Binding Even When `_whiteListEnabled == false`

The Bridging Process will revert if the Collection is matched on the destination chain and not matched on the source chain

There is No `msg.value` check in `depositTokens`, causing potential token stuck

When `sellCreditMarket()` is called to sell credit for a specific cash amount, the protocol might receive a lower swapping fee than expected.

The collateral remainder cap is incorrectly calculated during liquidation

`ODSafeManager#allowSAFE()` cannot be executed either by the proxy contract or any other address.