Potentially sensitive disclosure - 5

Pending withdrawals prevent safe removal of collateral assets

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

A staker withdraws funds during a migration and keeps their voting power and rewards while having nothing at stake

Funds locked due to missing transfer check

Holders array can be manipulated by transferring or burning with amount 0, stealing rewards or bricking certain functions

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

Burner role can not be revoked

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale

Selling will be bricked if all other tokens are withdrawn to ERC20 token