Btcstaking module allows `stakingTx` to be coinbase transaction which is unslashable for 100 blocks

Stakers lose their commission if they unstake as they cannot claim their pending rewards anymore after unstaking

If `withdrawalLockBlocks < proofWindow`, stakers can act maliciously without risking loss of their stake

A single malicious challenger can DoS the L1 rollup permanently because `Rollup.sol::_defenderWin` does not burn a portion of the `challengeDeposit`

Attacker can fill merkle tree in `L2ToL1MessagePasser`, blocking any future withdrawals

LPP metadata can be altered after the challenge period is over, allowing incorrect states to be proven

Panic in MIPS VM Could Lead to Unchallengeable L2 Output Root Claim

Invalid validation allows users to unlock early

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

Incorrect deployment / missing contract will break functionality

Claiming rewards while the deduction rate is != 0, allows for repeated withdrawal of redistributed rewards