Inability to claim from Raffle based ERC20 Incentive will permanently lock funds.

Boost creator will prevent protocol from receiving claim fee

Using weird tokens such as rebasing tokens are not supported

Malicious actor will prevent or increase price of super pool creation.

Malicious actor will prevent reallocation of funds by super pool owner.

Maliciously claiming root for a large l2 block number will prevent additional creation of the game

`RawCall` builtin function allows passing a value in unsupported calls

RFP Recipient can steal funds by toggling the pool activity state

RFP recipient can steal pool funds without supplying all milestones by re-registering before allocation

RFP payment cannot be fulfilled because of a validation in `_distribute`

Incorrect caching of previous credits in `_qv_allocate` result in amplified voting result

Funding using a fee-on-transfer token will prevent payments

Users cannot claim tokens in `DonationVotingMerkleDistributionVaultStrategy` if fee-on-transfer tokens are used.

staleCheckLatestRoundData() does not check the status of the Arbitrum sequencer in Chainlink feeds.

Unbounded Loops Found in DSCEngine.sol can lead to DoS of liquidations

[H-01] Lack of emergency withdraw function when no arbiter is set

Fixed `i_arbiterFee` can prevent payment

Incorrect handling of `ETH/WETH` causes the `LMPVaultRouterBase` to use double pull the funds of the user

Malicious actor can steal rewards because rewards are not updated prior to staking

`GPToke` staking cap will prevent withdrawals

Malicious actor cause rebase to an old inflation multiplier

Limit Swap orders are still delayed by a block

Malicious actor can prevent migration by calling a non-existing function in `OVM_L2ToL1MessagePasser` and making `ReadWitnessData` return an error

Byte slicing corrupts data length - keepers funds will be drained by expensive memory expansion

Incomplete error handling causes execution and freezing/cancelling of Deposits/Withdrawals/Orders to fail.

Keeper can make deposits/orders/withdrawals fail and receive fee+rewards

Deposits/Withdrawals/Orders will be canceled if created before feature is disabled and attempted to be executed after

No check if Arbitrum L2 sequencer is down when receiving prices from price feeds

Malicious ERC20 tokens can prevent closing and claiming bounties

Overflow in getLockedFunds prevents refunds.

Large amount of deposits will cause an out of gas exception that will prevent refunds

Attacker can prevent funders from funding none-whitelisted ERC20 tokens

Staking rewards can be drained

Fee on transfer token not supported

Vault creator can prevent users from claiming staking rewards

Migration will not succeed because of a mismatch between witness data and expected data

ETH/tokens are permanently frozen if they are sent from L1->L2 using the L1StandardBridge while the L2CrossDomainMessenger is "paused"

No check if Arbitrum L2 sequencer is down in Chainlink feeds

RToken permanently insolvent/unusable if a single collateral in the basket behaves unexpectedly

Arbitrary transactions possible due to insufficient signature validation

Replay attack (EIP712 signed transaction)

Attacker can gain control of counterfactual wallet

Destruction of the `SmartAccount` implementation

Transaction can fail due to batchId collision

MinipoolManager: node operator can avoid being slashed

Inflation of ggAVAX share price by first depositor

Hijacking of node operators minipool causes loss of staked funds

node operator is getting slashed for full duration even though rewards are distributed based on a 14 day cycle

Users may not be able to redeem their shares due to underflow

any duration can be passed by node operator

Cancellation of minipool may skip MinipoolCancelMoratoriumSeconds checking if it was cancelled before

State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool

VRFNFTRandomDraw admin can prevent created or started raffle from taking place

BondNFTs can revert when transferred

Trading will not work on ethereum if USDT is used

Centralization risks: owner can freeze withdraws and use timelock to steal all funds

`_handleDeposit` and `_handleWithdraw` do not account for tokens with decimals higher than 18

Chainlink price feed is not sufficiently validated and can return stale price

Lock.sol: claimGovFees function can cause assets to be stuck in the Lock contract

PrePO NFT holders will not be able to redeem collateral

ETH will get stuck if all NFTs do not get sold.

Use of `payable.transfer()` Might Render ETH Impossible to Withdraw

Protocol insolvent - Permanent freeze of funds

Giant pools can be drained due to weak vault authenticity check

Incorrect implementation of the ETHPoolLPFactory.sol#rotateLPTokens let user stakes ETH more than maxStakingAmountPerValidator in StakingFundsVault, and DOS the stake function in LiquidStakingManager

Freezing of funds - Hacker can prevent users withdraws in giant pools

Giant pools cannot receive ETH from vaults

Direct theft of buyers ETH funds.

Repaying a line of credit with a higher than necessary claimed revenue amount will force the borrower into liquidation

Reentrancy bug allows lender to steal other lenders funds

address.call{value:x}() should be used instead of payable.transfer()

Borrower/Lender excessive ETH not refunded and permanently locked in protocol

Lender can reject closing a position