| Whale manipulator | Influence filter outcome via late-stage HP gaming or coordinated buys at the cut | HP component math limits velocity dominance; concentration component penalizes buys-from-few-addresses; multi-component scoring resists single-vector attacks |
| Settlement front-runner | Insert transactions between filter and settlement to extract value (MEV-style sandwich on POL deployment) | Settlement is atomic and oracle-only; POL deployment runs inside the same transaction as submitWinner; deterministic execution paths leave no value to extract |
| Reentrancy attacker | Re-enter state-mutating functions during external calls (e.g., transfer hooks calling back into the pipeline) | ReentrancyGuard on every state-mutating function in SeasonVault, TournamentVault, BonusDistributor, POLManager, CreatorRegistry; fuzzed against malicious receivers |
| Merkle proof gamer | Claim rollover or bonus they didn’t earn, or claim more than once | Merkle root is immutable post-publish; proof verification at claim time; per-claim nullifier prevents replay |
| Oracle impersonator | Submit settlement as a non-oracle address | msg.sender checked against immutable oracle address at function entry; no upgrade mechanism replaces the oracle without explicit governance action |
| Storage corrupter | Set contract state to malicious values via misuse of admin functions (e.g., zero-address oracle, out-of-range BPS) | Input validation on every admin setter; zero-address rejection; out-of-range values reject; one-shot setters for critical wires (factory ↔ hook ↔ launcher) |
| Dust exploiter | Extract value via rounding errors in division | Explicit dust accounting: rounding routes to treasury; never disappears; never accumulates in an unaccounted contract balance |
