SAC-Bypass in withdraw_refund Security Risk

[hman38705]

Description
The withdraw_refund implementation in bets.rs (Line 181) uses client.transfer directly, whereas the implementation in cancellation.rs (Line 85) uses sac::safe_transfer. This inconsistency means that some refund paths skip the standard security checks (like pausing) implemented in the SAC module, creating a security bypass.

Requirements and context

• Always use sac::safe_transfer for any outbound token movement.
• Ensure the circuit breaker and high-risk guards are respected globally.

Suggested execution

• Fork the repo and create a branch: git checkout -b fix/issue-93-sac-consistency
• Update all transfer calls.

Implementation changes

• Modify bets.rs (Line 181) to use sac::safe_transfer instead of raw token client.

Test and commit

• Verify that a refund attempt fails when the contract is in a Paused state.

Example commit message
fix: ensure all refund paths use SAC-safe transfer and respect circuit breakers

Guidelines

• Security consistency.
• Timeframe: 12 hours.