XSS via SVG Construction contract

Attacker can gain control of counterfactual wallet

Unsafe downcasting operation truncate user's input

A finding that cannot be disclosed at the moment

Attacker may DOS auctions using invalid bid parameters

Denial of service when `baseAmount` is equal to zero

Pausing `WardenPledge` contract, which takes effect immediately, by its owner can unexpectedly block pledge creator from calling `closePledge` or `retrievePledgeRewards` function

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

Multiples initializations of `JBTiered721Delegate`

Protocol can be easily rug-pulled by the owner

frxETHMinter: Non-conforming ERC20 tokens not recoverable

`timewindow` can be changed unexpectedly that blocks users from calling `deposit` function

Different Oracle issues can return outdated prices

Index out of bounds error when properties length is more than attributes length breaks minting

Proposals overwrite

After endorsing a proposal, user can transfer votes to another user for endorsing the same proposal again

`activateProposal()` need time delay

[NAZ-M1] Chainlink's `latestRoundData` Might Return Stale Results

Unsafe usage of ERC20 transfer and transferFrom

Unsafe casting from int128 can cause wrong accounting of locked amounts

Denial of service in globalPause by wrong logic

Possible to bypass saleConfig.limitPerAccount

Untyped data signing

Signature Checks could be passed when SignatureDecoder.recoverKey() returns 0

Error in allowance logic

Wrong Equals Logic

Migration: no check that user-supplied `proposalId` and `vault` match

A VAULT OWNER CAN FRONTRUN A PLUGIN CALL AND CHANGE ITS IMPLEMENTATION

Delegate call in `Vault#_execute` can alter Vault's ownership

Use of `payable.transfer()` may lock user funds

ORACLE DATA FEED CAN BE OUTDATED YET USED ANYWAYS WHICH WILL IMPACT ON PAYMENT LOGIC

Use a safe transfer helper library for ERC20 transfers

Deny of service in `AccountantDelegate.sweepInterest`

Deny of service in `CNote.doTransferOut`

Multiple initialization in `NoteInterest`

Denial of Service by wrong `BatchRequests.removeAddress` logic

Unsecure `transferFrom`

MINTER_BURNER_ROLE can burn any amount of Yieldy from an arbitrary address

Able to mint any amount of PT

Illuminate PT redeeming allows for burning from other accounts

Wrong logic around `areOperatorsImported`

`NestedFactory` does not track operators properly

Undesired behavior

`_harvest` has no slippage protection when swapping `auraBAL` for `AURA`

`lending-market/NoteInterest.sol` Wrong implementation of `getBorrowRate()`

Anyone can create Proposal Unigov Proposal-Store.sol

`PortcalFacet.repayAavePortal()` can trigger an underflow of `routerBalances`

Tokens with `decimals` larger than `18` are not supported

There are multiple ways for admins/governance to rug users

it's possible to initialize contract BkdLocker for multiple times by sending startBoost=0 and each time different values for other parameters

Unable To Get Rewards If Admin Withdraws $VE3D tokens From `VeTokenMinter` Contract

Alter velo receptions computation

Gauge set can be front run if bribe and gauge constructors aren't run atomically

RubiconRouter: Offers created through offerWithETH() can be cancelled by anyone

USDT is not supported because of approval mechanism

Strategists can't be removed

No cap on fees can result in a DOS in BathToken.withdraw()

Admin rug vectors

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

`RubiconMarket.feeTo` set to zero-address can DoS `buy` function

```withdrawForETH``` could be used to drain the WETH in ```RubiconRouter.sol```

Wrong DOMAIN_SEPARATOR

Centralized risks allows rogue pool behavior in BathToken.

BathBuddy locks up Ether it receives

Use `call()` instead of `transfer()` when transferring ETH in RubiconRouter

User will loose funds

The owner can mint all of the NFTs.

Chainlink pricer is using a deprecated API

User fund loss in supplyTokenTo() because of rounding

Decimal token underflow could produce loose of funds

Chainlink's latestRoundData might return stale or incorrect results

Seven ways in which the Owner and Proxy Admin can make users lose funds ("rug vectors")

[WP-H3] `saleRecipient` can rug buyers

Existing user’s locked JPEG could be overwritten by new user, causing permanent loss of JPEG funds

Dysfunctional `CToken._acceptAdmin` due to lack of function to assign `pendingAdmin`

Wrong implementation of `NoYield.sol#emergencyWithdraw()`

Usage of deprecated Chainlink functions

XSS via SVG Construction contract

Approve race condition in FETH

BURNER_ROLE can burn any amount of EthErc20 from an arbitrary address

Not compatible with Rebasing/Deflationary/Inflationary tokens

Hidden governance

Liquidations can be run on the bogus Oracle prices

Reentrancy in `depositBribeERC20` function

Wrong logic around `areOperatorsImported`

`NestedFactory` does not track operators properly

Undesired behavior

Seven ways in which the Owner and Proxy Admin can make users lose funds ("rug vectors")

[WP-H3] `saleRecipient` can rug buyers

Repeated Calls to Shelter.withdraw Can Drain All Funds in Shelter

Rogue pool in Shelter

Oracle data feed is insufficiently validated.

Usage of deprecated ChainLink API in `EIP1271Wallet`

Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom

Signature replay

Medium: Consider alternative price feed + ensure _minLockPeriod > 0 to prevent flash loan attacks

XSS via SVG Construction contract

transfer return value is ignored

Wrong implementation of `NoYield.sol#emergencyWithdraw()`

Multiple initialization of Collateral contract

Admin can break `_numberOfValidTokens`

No max for advanceIncentive