Flawed logic in `Rebalancer.sendMsg` for the `maxTransferSize` check can cause a Denial of Service, blocking the rebalancing mechanism after a time window resets.

Blacklisted users can withdraw funds from mTokenGateway by using a non-blacklisted delegated account.

Signature Re-use Bypasses Multi-signature Threshold in Consensus Module

Incorrect Index Usage in `DepositQueue.cancelDepositRequest` Leads to Accounting Corruption and Permanent Denial-of-Service

Critical Precision Loss in MultiHopOracle Price Calculations

Cross-function Merkle Proof Usage Vulnerability

Potential Deposit Reverts Due to Removed Operator Vaults

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Sandwich attack to steal all ERC-20 tokens in the Fees contract

Forcing a borrower to pay a huge debt via the giveLoan()

Malicious lender can increment the loan interest using the auction process

Lack of slippage protection can lead to significant loss of user funds

Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom

A malicious strategy can permanently DoS all currently pending withdrawals that contain it

`setCollateralEscrowBeacon()` can be called by anyone

`commitCollateral()` can be called by anyone

fee-on-transfer tokens are not supported

Logic Error in _decreaseCurrentMinted

The attacker can bypass the original logic of `reduceposition()`

No check sequencer is down in Chainlink feeds

`latestRoundData()` has no check for round completeness

DepositManagerV1::refundDeposit() does not judge bounty status

claimManager will cause BountyCore::refundDeposit() to fail

use safetransfer and safetransferFrom

Disabled NFT collateral should not be used to mint debt

Price will not always be 18 decimals, as expected and outlined in the comments

Incorrect Assumption of Stablecoin Market Stability

Trading will not work on ethereum if USDT is used

`safeTransferMany()` doesn't actually use safe transfer

Centralization risks: owner can freeze withdraws and use timelock to steal all funds

Chainlink price feed is not sufficiently validated and can return stale price

Manager can get around min reserves check, draining all funds from Collateral.sol

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

Price oracle could get a stale price

Malicious Users Can Drain The Assets Of Auto Compound Vault

Underlying assets stealing in `AutoPxGmx` and `AutoPxGlp` via share price manipulation

Deposit Feature Of The Vault Will Break If Update To A New Platform

_calculateRewards() in PirexGmx don't handle reward calculation properly, and it would revert when totalSupply() is zero which will cause claimRewards() to revert if one of 4 rewardTracker's totalSupply was zero

`address.call{value:x}()` should be used instead of `payable.transfer()`

Solmate safetransfer and safetransferfrom doesnot check the codesize of the token address, which may lead to fund loss

The value of `createFeeDiscount` can never be updated

Attacker can steal any funds in the contract by state confusion (no preconditions)

Solmate's ERC20 does not check for token contract's existence, which opens up possibility for a honeypot attack

address.call{value:x}() should be used instead of payable.transfer()

Borrower/Lender excessive ETH not refunded and permanently locked in protocol

rollerPeriphery::approve() has no permission control and can steal contract tokens

Oracle assumes token and feed decimals will be limited to 18 decimals

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

As long as the set `Feeto` address, will make `VaultImplementation.sol::commitToLien()` to stop working

Nonces not used in signed data

use safecast

Transfering funds to yourself increases your balance

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

Steal their money

ConvertToShares () uses the LINK of the contract to calculate and may result in a loss of user assets

Vault set to the zero-address will break swaps and flash loans in all deployed pools

Centralization risk: admin have privileges: admin can set address to mint any amount of frxETH, can set any address as validator, and change important state in frxETHMinter and withdraw fund from frcETHMinter

frxETHMinter: Non-conforming ERC20 tokens not recoverable

The reveal process could brick if `randProvider` stops working

Possibility to burn all ETH in Crowdfund under some circumstances

[H3] Persisted msg.value in a loop of delegate calls can be used to drain ETH from your proxy

Missing upper limit definition in replaceLenderFee() of HomeFi.sol

Error in allowance logic