Unprotected payWithERC20 Function allows complete theft of tokens

MergeTgt has no handling if TGT_TO_EXCHANGE is exceeded during the exchange period

Wrong amount is minted to user when they deposit into the lending pool

Faulty Gauge Weight Update Formula: Voting Power Delta Not Considered Leading to Arithmetic Underflow and Vote Weight Inconsistency

Multiple Delegation by Double Spending Boosts and Lack of Delegation Tracking in BoostController Contract

Delegation Boost Not Usable by Delegatees

Multiple issues from unnecessary balance increase calculation in DebtToken.mint

Boost Miscalculation Leads to Excess Distribution

Incorrect Return Values and Double Scaling in `RToken.burn` Function Leads to Denial of Service

There is no logic checking for RAACNFT price staleness before minting it

Workingsupply would always be overwritten in boostcontroller.sol impacting reward calculations

Proposal Front-Running via Predictable Salt in `TimelockController::scheduleBatch`

Users Cannot Remove Their Own Boost Delegation, Causing Potential Lock-In

closeLiquidation within LendingPool does not allow partial repayments, which can cause massive losses to users within edge case

Portion of revenue to be distributed for gauges remains undistributed

`mint` function in RToken contract doesn't return the correct expected values, leading to emission of ReserveLibrary `Deposit` event and LendingPool `Deposit` event with incorrect values.

Irreversible emission cap reduction in BaseGauge

Hardcoded Emission Values Lead to Incorrect Reward Calculations

Cross-Chain Signature Replay Attack Due to User-Supplied `domainSeparator` and Missing Deadline Check

Auction bidding will be bricked for everyone by blacklisted user

not adding `claimable` balance to the total assets in `_harvestAndReport` can cause losses.

Creator of one vesting plan can affect vesting plans created by other users.

Arbitrary Usda/Usdt Price Manipulation Allows Usdt Drain

Minting zero tokens when underlyingToken is not Ether in cashIn()

Since the cost of launching a new pool is minimal, an attacker can maliciously consume VirtualTokens.

Users can prevent protocol from rebalancing for his gain and cause loss of funds for protocol and its users

Subtraction in `variance()` will revert due to underflow