Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

Value of kerosene can be manipulated to force liquidate users

Due to missing checks on minimum gas passed through LayerZero, executions can fail on the destination chain

Potential loss of capital due to fixed fee calculations

Permanent loss of tokens if swap data gets outdated

All tokens can be stolen from `VirtualAccount` due to missing access modifier

Message channels can be blocked resulting in DoS

If RootBridgeAgent.lzReceiveNonBlocking reverts internally, the native token sent by relayer to RootBridgeAgent is left in RootBridgeAgent

Refund mechanism for failed cross-chain transactions does not work

Attacker can block LayerZero channel due to missing check of minimum gas passed

Attacker can block LayerZero channel due to variable gas cost of saving payload

TOFT `triggerSendFrom` can be used to steal all the balance

TOFT `removeCollateral` can be used to steal all the balance

TOFT `exerciseOption` can be used to steal all underlying erc20 tokens

TOFT leverageDown always fails if TOFT is a wrapper for native tokens

TOFT `exerciseOption` fails due to not passing `msg.value` properly

Airdropped tokens can be stolen by a bot