Contest Findings #

202303 #

[🟧] The late deposit in Carousel contract can be used to avoid deposit fee 🔗
[🟧] Deposits that have already been mint in the rolloverQueue can still be delisted, resulting in the deposits of other users not being mint 🔗
[🟨] All tiles in Tray are predictable 🔗
[🟨] The Bio contract may be used for XSS attack 🔗
[🟧] [✨] Underflow of lpPosition.points during withdrawLP causes huge reward minting 🔗
[🟧] Later stakers may reduce the reward that early stakers have got 🔗
[🟧] registerTrustedNode should be controlled by Governance identity instead of owner 🔗
[🟨] addBlackList function can be frontrunned to transfer assets in advance 🔗