Unauthorized ERC20 Token Transfer via Public payWithERC20 Function

The user can send tokens to any address by using two bridge transfers, even when transfers are restricted.

Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

ZENO Token Redemption Returns Negligible USDC Amount Compared to Purchase Price

Incorrect decimal handling in `Auction::buy()` leads to massive overpayment for ZENO tokens

Reward manipulation vulnerability in StabilityPool

RToken's transfer function lead to loss of funds due to incorrect math

Treasury Balance Tracking Bypass in FeeCollector

Missing StabilityPool Integration in `mintRewards` Function

RToken.transferFrom() Does Not Scale User Balances Due to Stale Liquidity Index

There is no logic checking for RAACNFT price staleness before minting it

Concurrent Oracle Fulfillments Overwrite House IDs, which leads to Incorrect Pricing

Treasury Contract Deposit Function Can Be Frontrun To Deny Protocol Operations

Emergency revoke in RAACReleaseOrchestrator will freeze revoked RAAC tokens in orchestrator

Wrong access control in `RAACToken::setFeeCollector`, `RAACToken::setSwapTaxRate`, `RAACToken::setBurnTaxRate`

RAACToken burns less tokens than expected when feeCollector is unset

`mint` function in RToken contract doesn't return the correct expected values, leading to emission of ReserveLibrary `Deposit` event and LendingPool `Deposit` event with incorrect values.

Impossible to rescue funds from `RToken` contract

Deposits/Withdrawals can be DOS'ed if crvVault::withdraw produces any losses

Treasury's allocated funds not tracked during withdrawals leads to accounting issue where recepient can receive more than allocated funds.

ERC-20 Allowance Bypass: Spender Can Force Sender to Pay Extra Fees Beyond Approved Amount

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Ineffective proposal threshold validation allows setting arbitrary high values

Incorrect sequence of AaveDIVAWrapper constructor parameters

Improper Handling of Paused Tokens in `TokenRewards._resetExcluded()` Function

Hardcoded Contract Addresses in the Code Base Are Not Available on Some Chains

Incorrect Period Management Will Cause Failed Allocation of Reserve Tokens to Auctions

Division Before Multiplication Causes Precision Loss in `redeemRate` Calculation

Absence of wstETH/USD Price Feed on Base Blockchain

Fee Evasion via LP Token Transfer Resets Deposit Value

“Uplift Fee” Incorrectly Falls Back to Minimum Fee Due to Integer Division

Transferring deposit NFT doesn't check if the receiver exceeds the 100 deposit limit

User's `tokenIn` may be locked indefinitely due to `timestamp` collisions in `generateOrderId()`.

Attacker Can Exponentially Increase Cumulative Rate in `Borrowing` contract

Incorrect State Update in `ABONDToken.transferFrom` Function

Lack of Access Control in `CDS.updateDownsideProtected()` Function

Logical Error in Timestamp Condition for Option Renewal `BorrowLib.getOptionFeesToPay()`

Potential Locking of Liquidation Interest Funds in `Treasury` Contract For Ever

Inconsistent Updates to `omniChainData.totalVolumeOfBorrowersAmountinWei` in `BorrowLib` cause system wide accounting issues

Inconsistent Use of `lastCumulativeRate` in `depositTokens()` and `withdraw()` Functions in `Borrowings` Contract

Incorrect Update of `lastEventTime` in `Borrowings.withDraw()` Function

Attacker Will Steal Tokens by Front-Running Legitimate Claim Transactions

User will lose rewards across multiple epochs in the same distribution due to restrictive claim check

Rounding issues will cause total distributed rewards to not match the initial deposit in a single distribution

Wrong Type Hash Used in `PredictDotLoan.hashProposal()` (Not following EIP-712) Will Prevent Valid Proposal Execution for Users

`_requireAndUpdateAllowance()` not enforced in `redeemRequest()` and `redeemFiatRequest()` in `RedemptionVault` Contract

An attacker can cancel any raffle immediately after the prize manager locks the prize.

An attacker will lock prizes indefinitely in the `WinnablesPrizeManager` contract and restrict winner from claiming their prizes

Old Owners Retain Unauthorized Access to Critical Functions in `WinnablesPrizeManager` and `WinnablesTicket` Contracts

`SuperPool.totalAssets()` is not EIP-4626 complaint

Incorrectly assigned `decimal1` parameter upon decoding

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

Incorrect Percentage Calculation in NukeFund and EntityForging when `taxCut` is Changed from Default Value

Pause and unpause functions are inaccessible

Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

Incorrect Claim Check in `VouchFaucet` Contract Cuase anybody can drain the contract

Missing Token Validity Check in `onERC1155BatchReceived` in `ERC1155Voucher` contract

Lack of 18 Decimal Scaling in Balance Update in `restoreBridgeTransaction` Function in `BridgeFacetImpl` Library

ThorChain will be informed wrongly about the unsuccessful ETH transfers due to the incorrect events emissions

Due to the use of `msg.value` in for loop, anyone can drain all the funds from the `THORChain_Router` contract

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

Missing disapproval check in `LockManager.sol::approveUSDPrice` allows simultaneous approval and disapproval of a price proposal

Incorrect Reward Calculation Due to Unupdated `lastRewardBlock` When `startBlock` is Reduced or Increased

Potential Fund Lock in `Requestor` Contract on `zkSync Era` Blockchain Due to the Use of `transfer()` Method to Transfer ETH

`deposit()` function in `AssetsProcess` contract fails to restrict a user from depositing amounts greater than `collateralUserCap`

Incorrect withdraw queue balance in TVL calculation

Incorrect calculation of queued withdrawals can deflate TVL and increase ezETH mint rate

Pending withdrawals prevent safe removal of collateral assets

Deposits will always revert if the amount being deposited is less than the bufferToFill value

Missing Return Statement in `_getReserves` Function in `MagicLpAggregator` Contract

Holders array can be manipulated by transferring or burning with amount 0, stealing rewards or bricking certain functions

`LiquidInfrastructureERC20.sol` disapproved holders keep part of the supply, diluting approved holders revenue.

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

Missing access control on UTB:receiveFromBridge allows UTB swaps to be executed without spending bridge fees while bypassing fee/swap instruction signature verification

Unauthorized Access to setCurves Function

onBalanceChange causes previously unclaimed rewards to be cleared

Users will lose rewards when buying new tokens if they already own some tokens

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Auction payout goes to AuctionDemo contract owner, not the token owner

``FULL_RESTRICTED`` Stakers can bypass restriction through approvals

`ODSafeManager#allowSAFE()` cannot be executed either by the proxy contract or any other address.