state-invariant-detection

The code contains intentional/instructional invariant-violation bugs: privileged functions and some operations update component state without updating corresponding aggregate state (totalSupply, totalStaked, totalRewards, kLast, totalFunds). These are serious correctness and financial-integrity issues that can be exploited to manipulate balances, rewards, AMM invariants, or apparent funds. However, there is no evidence of covert malicious actions (exfiltration, backdoor, obfuscation). The risk is primarily logical/financial (exploitable accounting bugs) rather than malware.