Users can create agents without being Whitelisted

Users can claim more that their actual allotment

Incorrect referral fee calculations

Incorrect listing type validation bypasses enforcement of minimum purchase amount

Rounding error in stepDuration calculations.

A user will Drain The StopLimit contract Funds by modifying an order `amountIn`

A user will drain both StopLimit and Bracket contracts funds due to non-uniqueness of `orderId`

Attacker will Lock users funds by creating unlimited dust orders

It is possible to earn rewards in `MlumStaking` staking contract without locking tokens for a period of time

DoSing the rewarding system by flooding the `onRegister()` function with fake rewarders

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

Any User can mint any amount of WStETH in the WStETHMock.sol and StETHMock.sol

Use custom gas in `sendMintMessage` instead of default gas

Create Pool in Mock Distribution is missing validations; allowing duplicates, wrong decreaseInterval value and payoutStart value

Do not hardcode `_zroPaymentAddress` field to `address(0)`

LayerZeroEndpoint.send() in L1Sender.sol may revert if the user does not provide enough native gas as specified

Adversary can block `claimAuction()` due to push-strategy to transfer assets to multiple bidders

Bidder Funds Can Become Unrecoverable Due to 1 second Overlap in `participateToAuction()` and `claimAuction()`

Users Lose Funds and Market Functionality Breaks When Market Reachs 65k Id

New orders can overwrite active orders when order id reaches 65000

If a winner is blacklisted on any of the tokens they can't receive their funds

Lack of checking the existence of the Proxy contract

Using basis points for percentage is not precise enough for realistic use-cases

Check price != 0 before interacting with IERC20

Use assembly to check for `address(0)`

The `nonReentrant` `modifier` should occur before all other modifiers

NatSpec `@param` is missing

NatSpec `@return` argument is missing

Constants in comparisons should appear on the left side

Use nested `if` statements instead of logical AND (`&&`)

Non-strict inequalities (>=) are cheaper than strict ones (>).

Events may be emitted out of order due to reentrancy

Imports could be organized more systematically

Constants should be defined rather than using magic numbers

Use safeTransfer() instead of transfer().

NFT can be locked when calling _mint to a contract that does not support ERC721 protocol

Low level calls to accounts with no code will succeed in `FeeWrapper`