Trading fee is paid by the seller instead of buyer

Users can buy shares for free due to rounding error

Incorect USDC conversion leads to smaller cashback transfer to user

Wrong `tickUpper` argument used in `collectFees()` may lead to lock funds permanently

Due to an incorrect leverage calculation, users are able to open positions with a leverage bigger than the max leverage allowed

Failure to update `path` in multi-pool swaps results in an out-of-gas (OOG) error during leveraged position openings

ZENO Token Redemption Returns Negligible USDC Amount Compared to Purchase Price

Incorrect decimal handling in `Auction::buy()` leads to massive overpayment for ZENO tokens

RAACNFT mint function receives funds to address(this) but has no way of withdrawing them

`BaseGauge` users can claim rewards without staking

Users Can Overwrite Existing Locks in veRAACToken Resulting in Permanent Loss of Funds

`GaugeController::_calculateReward` implementation will cause smaller shares to be allocated to every gauge

Multiple issues from unnecessary balance increase calculation in DebtToken.mint

Reward manipulation vulnerability in StabilityPool

RToken's transfer function lead to loss of funds due to incorrect math

Users can borrow more assets than they have deposited as collateral

NFTs Get Permanently Locked in Stability Pool After Liquidation

Any attempt to liquidate a user will fail, because StabilityPool does not hold crvUSD during operational lifecycle

Double Usage Index Scaling in StabilityPool Liquidation Inflates Required CRVUSD Balance

Boost Miscalculation Leads to Excess Distribution

Ownership Parameter Mismatch in LendingPool’s Vault Withdrawal Logic

Treasury Balance Tracking Bypass in FeeCollector

Attackers can double voting power and veToken amount by locking and increasing

Gauge Voting Misallocation Vulnerability

Critical Economic Design Flaw in ZENO Zero-Coupon Bond Implementation Leads to Guaranteed User Losses

Voting Power Snapshot Missing

Gauge stakers won't get any reward due to round-down in user weight calculation

Stability pool does not consider RToken balance increase when DEToken is withdrawn

Multiple calls to `BaseGauge::notifyRewardAmount()` override existing reward rate, causing loss of rewards for stakers

Hardcoded Exchange Rate Leading to Incorrect Deposits and Redemptions

Gauge reward period can be extended indefinitely

LendingPool::getNormalizedIncome() returns stale liquidity index

Users Can Lose Funds and Collateral by Repaying Loans After Liquidation Grace Period Expiry

Liquidation Cannot Be Closed Even With Healthy Position Due To Strict Debt Check

Using balanceOf Instead of Voting Power

There is no logic checking for RAACNFT price staleness before minting it

`RToken::calculateDustAmount` are incorrectly calculated, leading to not be able to transfer the accrued dust amount

Concurrent Oracle Fulfillments Overwrite House IDs, which leads to Incorrect Pricing

Liquidations are enabled when repayments are disabled, causing borrowers to lose funds without a chance to repay

User may not be able to increase the amount of locked RAAC tokens

Lack of Time-Weighted Voting and Weight Decay in GaugeController

RAACToken burns less tokens than expected when feeCollector is unset

The earned yield from the Curve vault can never be utilized when withdrawing or borrowing

closeLiquidation within LendingPool does not allow partial repayments, which can cause massive losses to users within edge case

Updating the prime rate will change the interest for a time that was already passed

Skewed Reward Distribution in GaugeController.sol

Incorrect Timestamp Tracking in RAACHousePrice contract

Deposits/Withdrawals can be DOS'ed if crvVault::withdraw produces any losses

Incorrect Credit Capacity Validation in `VaultRouterBranch.redeem` Enables Locked Collateral Drainage

Multiple instances where Vault's `totalAssets()` is not properly scaled to ZAROS precision

Underflow when updating credit delegation will result protocol DoS

Vaults weth reward is not distributed correctly

Unclaimed Rewards Loss Due to Missing Validation in `VaultRouterBranch.stake()`

Incorrect Debt Check in `CreditDelegationBranch::settleVaultsDebt` Function

Total market debt > 0 when credit deposits > netusdissuance which breaks key protocol logic

Incorrect calculation in CreditDelegationBranch::withdrawUsdTokenFromMarket allows attacker mint any amount of usdz

Incorrect vault debt validation logic in rebalanceVaultsAssets causes reverts

The logic in `getPremiumDiscountFactor` is inverted: a discount is applied when Vault is in credit and a premium is applied if Vault is in debt

Issue with Decimal Offset Calculation Leading to Weak Donation Protection

Duplicate `Collateral.Data` struct causes admin configuration conflict

Protocol not fully compliant with ERC-7201

Invalid referral data retrieval

An attacker can pick up a new price that is older than the current stored one

Attacker can open many small positions, disincentivizing liquidations

Hardcoded redstone oracle deviation threshold

Market Disruption and Financial Loss Post-Liquidation

Insufficient checks to confirm the correct status of the sequencerUptimeFeed

An Uninitialized Variable In The `MarketConfiguration::update` Function Causes The `PrepMarket::getIndexPrice` Function To Revert

Functions calling `verifyReport` to verify offchain prices from chainlink will fail

When transfering the NFT associated to a TradingAccount, the old owner can grief the new owner by leaving an opened MarketOrder that will be executed even though the old owner is not the owner of the TradingAccount.

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

`SNXConnector.sol` TVL calculation is incorrect.

Numerous errors when calculating the TVL for the MorphoBlue connector

It is possible to open insolvent position is Silo connector, due to missing check in borrow function

SiloConnector `_getPositionTVL` miscalculate the TVL position

Some connectors prevents repayment of a borrow position if it doesn't leave the connector solvent or above minimumHealthFactor

Dust donation might DOS all connectors to create new holding positions, by preventing removing existing holding positions

CollectionReferrerShare is wrongly sent to mint referrer

Users can `mintBatch` to mint out but pay for one token only

Edition._refundExcess() doesn't refund the excess ether

The edges will never be acknowledged because only memory copy is modified

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

Kerosene collateral is not being moved on liquidation, exposing liquidators to loss

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position

Value of kerosene can be manipulated to force liquidate users

Liquidation bonus logic is wrong

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

Can mint NFT with the desired attributes by reverting transaction

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Fighter created by mintFromMergingPool can have arbitrary weight and element

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

Unauthorized Access to setCurves Function

Selling will be bricked if all other tokens are withdrawn to ERC20 token

onBalanceChange causes previously unclaimed rewards to be cleared

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

The userGaugeProfitIndex is not set correctly, allowing an attacker to receive rewards without waiting

Users staking via the `SurplusGuildMinter` can be immediately slashed when staking into a gauge that had previously incurred a loss

The creation of bad debt (`mark-down` of Credit) can force other loans in auction to also create bad debt

The price of rsEHT could be manipulated by the first staker

Protocol mints less rsETH on deposit than intended

Theft of collateral tokens with fewer than 18 decimals

Liquidation Is Prevented Due To Strict Implementation of Liqudation Bonus

staleCheckLatestRoundData() does not check the status of the Arbitrum sequencer in Chainlink feeds.

Lack of fallbacks for price feed oracle

High - Funds can be lost if any participant is blacklisted

TalosBaseStrategy#init() lacks slippage protection

Removing more gauge weight than it should be while transfering ````ERC20Gauges```` token

`ERC20Boost.sol` An user can be `attach`ed to a gauge and have no boost balance.

Anyone can trigger USSD depeg.

Wrong price calculation

ERC20 return values not checked

Reward accounting is incorrect in BathBuddy contract

BathBuddy contract should implement methods to pause and unpause contract

Zero reward rate calculation impedes low-decimals token distributions

Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations

Calling `ExpiringMarket.stop` and `ExpiringMarket.isClosed` functions cannot pause any functionlities of the market

Users can avoid paying depositFee

A malicious user can deny user reward enlisted in rollover

Bad implementation in minter access control for `RabbitHoleReceipt` and `RabbitHoleTickets` contracts

Users may not claim Erc1155 rewards when the Quest has ended