1. Arena Contract Bug: `claim()` Payouts Lack Survivor Registration Check, Risking Unearned Prize Drain
A critical security flaw in the arena smart contract allows the prize pool to be paid out to any address designated as a winner, even if that address never registered as a participant. The `claim()` function fails to verify that the winner is also a registered `Survivor`, creating a direct path for unearned funds to be...