Unprotected payWithERC20 Function allows complete theft of tokens

MergeTgt has no handling if TGT_TO_EXCHANGE is exceeded during the exchange period

Cross-Chain Signature Replay Attack Due to User-Supplied `domainSeparator` and Missing Deadline Check

Auction bidding will be bricked for everyone by blacklisted user

not adding `claimable` balance to the total assets in `_harvestAndReport` can cause losses.

Creator of one vesting plan can affect vesting plans created by other users.

Arbitrary Usda/Usdt Price Manipulation Allows Usdt Drain

Minting zero tokens when underlyingToken is not Ether in cashIn()

Since the cost of launching a new pool is minimal, an attacker can maliciously consume VirtualTokens.

Users can prevent protocol from rebalancing for his gain and cause loss of funds for protocol and its users

Subtraction in `variance()` will revert due to underflow