Wrong `tickUpper` argument used in `collectFees()` may lead to lock funds permanently

Due to an incorrect leverage calculation, users are able to open positions with a leverage bigger than the max leverage allowed

Failure to update `path` in multi-pool swaps results in an out-of-gas (OOG) error during leveraged position openings

An attacker can pick up a new price that is older than the current stored one

Attacker can open many small positions, disincentivizing liquidations

Hardcoded redstone oracle deviation threshold

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

`SNXConnector.sol` TVL calculation is incorrect.

Numerous errors when calculating the TVL for the MorphoBlue connector

It is possible to open insolvent position is Silo connector, due to missing check in borrow function

SiloConnector `_getPositionTVL` miscalculate the TVL position

Some connectors prevents repayment of a borrow position if it doesn't leave the connector solvent or above minimumHealthFactor

Dust donation might DOS all connectors to create new holding positions, by preventing removing existing holding positions

CollectionReferrerShare is wrongly sent to mint referrer

Users can `mintBatch` to mint out but pay for one token only

Edition._refundExcess() doesn't refund the excess ether

The edges will never be acknowledged because only memory copy is modified

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

Kerosene collateral is not being moved on liquidation, exposing liquidators to loss

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position

Value of kerosene can be manipulated to force liquidate users

Liquidation bonus logic is wrong

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

Can mint NFT with the desired attributes by reverting transaction

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Fighter created by mintFromMergingPool can have arbitrary weight and element

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

Unauthorized Access to setCurves Function

Selling will be bricked if all other tokens are withdrawn to ERC20 token

onBalanceChange causes previously unclaimed rewards to be cleared

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

The userGaugeProfitIndex is not set correctly, allowing an attacker to receive rewards without waiting

Users staking via the `SurplusGuildMinter` can be immediately slashed when staking into a gauge that had previously incurred a loss

The creation of bad debt (`mark-down` of Credit) can force other loans in auction to also create bad debt

The price of rsEHT could be manipulated by the first staker

Protocol mints less rsETH on deposit than intended

TalosBaseStrategy#init() lacks slippage protection

Removing more gauge weight than it should be while transfering ````ERC20Gauges```` token

`ERC20Boost.sol` An user can be `attach`ed to a gauge and have no boost balance.

Anyone can trigger USSD depeg.

Wrong price calculation

ERC20 return values not checked

Reward accounting is incorrect in BathBuddy contract

BathBuddy contract should implement methods to pause and unpause contract

Zero reward rate calculation impedes low-decimals token distributions

Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations

Calling `ExpiringMarket.stop` and `ExpiringMarket.isClosed` functions cannot pause any functionlities of the market

Users can avoid paying depositFee

A malicious user can deny user reward enlisted in rollover

Bad implementation in minter access control for `RabbitHoleReceipt` and `RabbitHoleTickets` contracts

Users may not claim Erc1155 rewards when the Quest has ended