First Depositor Donation Attack Allows Profit Extraction

Due to Missing Validation of fromTokenAmount, User Can Inflate Target Token Output in GatewaySend.depositAndCall()

GatewaySend.onRevert() function fails to handle native ETH refunds, User Funds Permanently Locked in GatewaySend

Users can imbalance the pool by removing a single pool token without paying tax due to incorrect calculation in removeValueSingle()

Functions that rely on chainlink prices cannot be queried on avalanche due to sequencer uptime check.

Incorrect listing type validation bypasses enforcement of minimum purchase amount

maxSellPercent can be buypassed by selling previously bought vestings at a later time

Listing potential can not be purchased with discounted price

cancelOrder() function can be used in Reentrancy attack

safeApprove function is deprecated and is not recommended to be used as it could leads to revert in some cases

MembershipERC1155 proxy cannot be upgraded