Day limits do not represent extraction limits but authorization limits

[joshuahannan]

When a transaction is created, the parameter confirmedRequired is calculated taking into account the currentSpend of the day for the token involved in the transfer. When a transaction’s token amount surpasses the majorThreshold value, the transaction will require the number of confirmations stipulated in the variable requiredMajor.
As this information is stored upon the creation of a transaction, the day limit really applies to the number of tokens authorized for extraction instead of the actual number of tokens that can be extracted on a given day. Put in other words, authorization and execution of transactions do not necessarily need to occur on the same day.
To illustrate, consider a transaction whose value is just below majorThreshold. Similar transactions are created and authorized during the next 10 consecutive days (nudged with small enough changes for the transactions to be considered different). On the eleventh day all the transactions are executed, resulting in an extraction of value that is approximately ten times the value of majorThreshold. Nevertheless, such a reduction of the wallet’s balance is considered a minor set of operations.
Unless this behavior is intended, consider addressing it. Some alternatives may be:
Invalidate transactions that were not created on the current day.
As it was recommended to check confirmations during the time of execution instead of the time of creation earlier in this document, consider also checking for day limits at the time of execution instead of the time of creation.

[joshuahannan]

I'm not sure if this is a vulnerability we should worry about. The way I understand it, we don't really need to fix it since the person would be able to do transactions like this daily anyway.