Anyone can unlock instantly and dodge fees whenever no one is staking in the Tax pool

Users can get locked out of the protocol due to gas limit issues

User Can Perpetually Deny Redeems by Cycling Mint and Redeem Requests with Zero Fees

Unauthorized Token Transfer via payWithERC20

Malicious user can grief staking rewards for legitimate stakers through frequent claiming

Any user can grief reward rates by adding minimal rewards

Incorrect Reward Claim Logic in FeeCollector::claimRewards Causes Denial of Service

Treasury Balance Tracking Bypass in FeeCollector

Ineffective Time-Weighted Average Implementation in Fee Distribution

Treasury Contract Deposit Function Can Be Frontrun To Deny Protocol Operations

Multiple Token Management Lets Withdraw a Token Different than Deposited Token

`FeeCollector::updateFeeType` wrong fee share validation leads to impossible update for some fee types

Treasury's allocated funds not tracked during withdrawals leads to accounting issue where recepient can receive more than allocated funds.

Auction cannot complete successfully due to period mismatch between Pool and BondToken contracts

`SecondSwap_Marketplace` vesting listing order affects how much the vesting buyers can claim at a given step

Incorrect referral fee calculations

Rounding error in stepDuration calculations.

Minting zero tokens when underlyingToken is not Ether in cashIn()

Since the cost of launching a new pool is minimal, an attacker can maliciously consume VirtualTokens.

# Double Counting of Fees in ReputationMarket Will Lead to Fund Loss

Claim Restriction Prevents Users from Claiming Multiple Epochs

Incorrectly assigned `decimal1` parameter upon decoding