Risk of Overpayment Due to Race Condition Between repay and liquidateWithReplacement Transactions

When `sellCreditMarket()` is called to sell credit for a specific cash amount, the protocol might receive a lower swapping fee than expected.

Sandwich attack on loan fulfillment will temporarily prevent users from accessing their borrowed funds

Users may incur an unexpected fragmentation fee in the `compensate()` call

Size uses wrong source to query available liquidity on Aave, resulting in borrow and lend operations being bricked upon mainnet deployment

Multicall does not work as intended

ThorChain will be informed wrongly about the unsuccessful ETH transfers due to the incorrect events emissions

A malicious user can steal money out of the vault and other users

Due to the use of `msg.value` in for loop, anyone can drain all the funds from the `THORChain_Router` contract

Chainlink's `latestRoundData` might return stale or incorrect results

The amount of `xezETH` in circulation will not represent the amount of `ezETH` tokens 1:1

Incorrect withdraw queue balance in TVL calculation

Deposits will always revert if the amount being deposited is less than the bufferToFill value

Withdrawals and Claims are meant to be pausable, but it is not possible in practice

For each edition, only one collection referrer is stored in `FeeManager`

Collection referrers do not receive their revenue share

`Edition.mintBatch()` could fail due to forwarding `msg.value` in a loop

The signature for `TitlesGraph.acknowledgeEdge()` can be used in `TitlesGraph.unacknowledgeEdge()` and vice versa

`Edition.transferWork()` does not update the fee receiver for the work, preventing the new owner from receiving relevant fees

Incorrect encoding of bytes for EIP712 digest in `TitleGraph` causes signatures generated by common EIP712 tools to be unusable

Excess funds are not refunded during the minting

Late ITO airdrop claimers might get less $ZVE reward than they should

Reward rate in ZivoeRewards and ZivoeRewardsVesting can be dragged out and diluted

`ZivoeRewardsVesting.revokeVestingSchedule()` leaves phantom voting powers for the revoked account

Incorrect `_totalSupply` update in ZivoeRewardsVesting.revokeVestingSchedule() could prevent last users from withdrawing from the contract

OCL_ZVE.pushToLockerMulti is vulnerable to Denial-of-Service (DOS) attacks due to its strict zero allowance checks