Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom

Debt token is transferred to zero address instead of lender when borrower repay full amount

Lender can reject receiving repayment through token hook, making the loan defaulted

Loan can have a very long duration because rollable is True by default

Function `rebalance()` is vulnerable to sandwich attack

Hijacking of node operators minipool causes loss of staked funds

AVAX Assigned High Water is updated incorrectly

MinipoolManager: recordStakingError function does not decrease minipoolCount leading to too high GGP rewards for staker

slashing fails when node operator doesn't have enough staked `GGP`

Cancellation of minipool may skip MinipoolCancelMoratoriumSeconds checking if it was cancelled before

State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool

Inflation rate can be reduce by half at most if it get called every 1.99 interval.

NodeOp funds may be trapped by a invalid state transition

Protocol safeguards for time durations are skewed by a factor of 7. Protocol may potentially lock NFT for period of 7 years.

Wrong time delay in `isoUSDToken`

Attacker can reduce Vault interest by half because of wrong current block time update in `_updateVirtualPrice()`

Assets may be lost when calling unprotected `AutoPxGlp::compound` function

Attacker may DOS auctions using invalid bid parameters

Incompatibility with fee-on-transfer/inflationary/deflationary/rebasing tokens, on both base tokens and quote tokens, with varying impacts

Owner can transfer all ERC20 reward token out using function recoverERC20

Very critical `Owner` privileges can cause complete destruction of the project in a possible privateKey exploit

sfrxETH: The volatile result of previewMint() may prevent mintWithSignature from working

possible DoS on vestingRecipients due to lack of disposal mechanism

Supply cap of VariableSupplyERC20Token is not properly enforced

Can Recover Gobblers Burnt In Legendary Mint

Wrong balanceOf user after minting legendary gobbler

Users who deposit in one vault can lose all deposits and receive nothing when counterparty vault has no deposits

Founders can receive less tokens that expected

Truncation in casting can lead to a founder receiving all the base tokens

ERROR IN UPDATING **_checkpoint** IN THE **increaseUnlockTime** FUNCTION

Possible to bypass saleConfig.limitPerAccount

Calling `unstake()` can cause locked funds