LenderCommitmentGroup Liquidations do not give collateral to liquidator

Liquidations in the Lender Commitment Group don't include owed interest

Unsafe transferFrom()

Marketplace Fee for loan can be updated any time after bid until lender accepts

Infinite Voting Power due to exposed `_mint()` function

Changes to `voteFactor` can lead to unclaimable tokens

Rewards are never earned because `AsyncSwapper` never receives tokens during liquidation

Mint/Deposit with payable ETH will result in double spend

Adding margin mistakenly increases leverage and removing margin decreases leverage

Debt doesn't actually acrue

DCA order value can be stolen in entirety

Withdrawals can be permanently frozen due to gas griefing

Failed withdrawal cannot be replayed

Insurance Fund shares are not calculated correctly

MEV can steal value due to lack of slippage checks

Update to `managerFeeBPS` applied to pending tokens yet to be claimed

Attacker can overwrite the L2 `inflationMultiplier` with previous values

Reward can be over- or undercounted in `extendPledge` and `increasePledgeRewardPerVote`

Loss of Veto Power can Lead to 51% Attack

FraxlendPair#setTimeLock: Allows the owner to reset TIME_LOCK_ADDRESS

Possible to bypass saleConfig.limitPerAccount

ProxyFactory can circumvent ProxyRegistry

Error in allowance logic

Interface definition error

Malicious Users Can Exploit Residual Allowance To Steal Assets

An attacker can DoS vault's buyout with as little as 1 wei per 4 days

ORACLE DATA FEED CAN BE OUTDATED YET USED ANYWAYS WHICH WILL IMPACT ON PAYMENT LOGIC

`fillOrder()` and `exercise()` may lock Ether sent to the contract, forever

No way to set CURVE_POOL approval after setting new curve pool address

Centralisation Risk: Admin Can Change Important Variables To Steal Funds

User can bypass entryFee by sending arbitrary calldata to ParaSwap operator

Reentrancy from matchOneToManyOrders

Calling `unstake()` can cause locked funds

Stealing Wrapped Manifest in WETH.sol

Anyone can set the `baseRatePerYear` after the `updateFrequency` has passed

User can alter amount returned by redeem function due to control transfer

No cap on fees can result in a DOS in BathToken.withdraw()

Admin rug vectors

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

Owner can set the feeRate to be greater than 100% and cause all future calls to `exercise` to revert

Vault is Not Compatible with Fee Tokens and Vaults with Such Tokens Could Be Exploited

Lack of 0 amount check allows malicious user to create infinite vaults

Validators can cause transactions where they are not the one being paid the fees, to revert

The owner can mint all of the NFTs.

Many unbounded and under-constrained variables in the system can lead to unfair price or DoS

Chainlink pricer is using a deprecated API

[WP-H1] A malicious early user/attacker can manipulate the vault's pricePerShare to take an unfair share of future users' deposits

User can call liquidate() and steal all collateral due to arbitrary router call

SuperVault's leverageSwap and emptyVaultOperation can become stuck

User can steal all rewards due to checkpoint after transfer

Chainlink's latestRoundData might return stale or incorrect results

Griefer can extend period of higher withdrawal fees

Chainlink's latestRoundData might return stale or incorrect results

StakedCitadel depositors can be attacked by the first depositor with depressing of vault token denomination

StakedCitadel: wrong setupVesting function name

Funding.deposit() doesn't work if there is no discount set

New vest reset `unlockBegin` of existing vest without removing vested amount

yVault: First depositor can break minting of shares

Chainlink pricer is using a deprecated API

Borrower can be their own lender and steal funds from buyout due to reentrancy

Protocol doesn't handle fee on transfer tokens

ERC20 transferFrom return values not checked

Centralisation RIsk: Owner Of `RoyaltyVault` Can Take All Funds

Users with large `cooldown`s can grief other users

Reliance on lifiData.receivingAssetId can cause loss of funds

All swapping functions lack checks for returned tokens

LibSwap: Excess funds from swaps are not returned

DexManagerFacet: batchRemoveDex() removes first dex only

First depositor can break minting of shares

Low-level transfer via call() can fail silently

[WP-H4] Deleting `nft Info` can cause users' `nft.unpaidRewards` to be permanently erased