Loss of rewards due to griefing attack

Malicious user can spam rewards distribution causing users to miss out on rewards

Missing critical checks in `OracleLess` contract can be used to brick the `fillOrder()` function and cause funds to be stuck in the contract

`usdaCollectedFromCdsWithdraw` is not updated during withdrawal for users who did not opt in for liquidation

Users can steal USDT using `redeemUSDT()` from the CDS

Liquidation can be blocked if `liqAmountToGetFromOtherChain == 0`

All the interest earned from liquidation is stuck in the treasury forever

missing `omniChainData.noOfLiquidations` update in `liquidationType2()` can lead to loss of CDS depositor who opt in for liquidation

option renewal can be done in less than 15 or after 30 days

`lastEventTime` is not updated during liquidation and withdrawal thus overinflating the `lastCumulativeRate`

wrong amount of `sUSD` is used to open a short position in synthetix

`submitOffchainDelayedOrder()` is called wrong with wrong paramters

CDS withdrawals can be blocked for depositors who opted for liquidation

10% of CDS depositors profit are stuck in the treasury during withdrawal without a way to retrieve them

The interest from external protocol during liquidation is stuck without a way to withdraw

Yield form LRTs are forever stuck in the protocol and cannot be withdrawn

`downsideProtected` can block withdrawals anytime funds are requested from other chains to cover downside

excess funds will not always be refunded to borrower when they are withdrawing

`liquidationType2()` will always due wrong assumption that Asset:sAsset are minted 1:1

The protocol does not consider Sythetix exchange fees during liquidation

Attackers can force the rewards to be stuck in the contract with malicious `x/tokenfactory` denoms

`wantedToken` is stuck in the `BuyOrder` contract without a way to withdraw

`extendLoan(...)` will revert sometimes leading to a DOS

Interest paid for non perpetual loan during loan extension is lost when the borrower repays debt

Matching some lend orders can be blocked

`CollectionShutdown::execute(...)` can be permanently bricked thus blocking liquidation for a collection

Funds will be stuck in the `CollectionShutdown` contract if shutdown execution is cancelled

`params.quorumVotes` can overflow

Anyone can DOS `CollectionShutdown::preventShutdown()`

Users can manipulate interest rate using their protected listings

user can create listing with dust amount to block collection shutdown

Malicious actors can manipulate the `cross_chain_callback` callback

There is no refund mechanism in `ChakraSettlement.processCrossChainCallback` or `ChakraSettlementHandler.receive_cross_chain_callback` function

In Starknet already processed messages can be re-submitted and by anyone

Invalid token address used in `ChakraSettlementHandler::cross_chain_erc20_settlement(...)` leading to invalid transaction creation and event emission

inconsistency in sender address when creating cross chain messages on Starknet can lead to loss of funds

`create_lock(...)` can be DOS'd preventing users from creating lock in the `VotingEscrow`

rewards are lost when merging and withdrawing tokens

Claimable emissions are locked when a gauge is killed

`checkpoint_total_supply()` can prematurely update the `veSupply[t]` and `time_cursor` leading to wrong reward calculations

`update_period(..)` leads to wrong calculation in weekly emissions breaking accounting for the protocol

Votes of expired token in gauges lead to dilution of FLOW emissions for gauges with active votes

The First liquidity provider of a stable pair can DOS the pool

Most users won't be able to claim their share of Uniswap fees

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

Invalid validation allows users to unlock early

Players can gain more NFTs benefiting from that past remainder in subsequent locks

Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swaps

Noya is not compatible with tokens whose balance changes outside of transfers causing funds to get stuck in the contract

vesters `ZVE` tokens will be locked in the `ZiveoVestingRewards.sol` without a means of withdrawal if a vester's schedule is revoked

Rewards will be stuck in the `ZivoeRewardsVesting` contract without a way to withdraw them

Malicious user can prevent excess yield from being forwarded to the `YDL`

overstated TVL value breaks share accounting when asset are queued for withdrawal form `EigenLayer`

User can evade `liquidation` by depositing the minimum of tokens and gain time to not be liquidated

Minimium Collateral Check Can Be Bypassed

Auction payout goes to AuctionDemo contract owner, not the token owner

Removing a BribeFlywheel from a Gauge does not remove the reward asset from the rewards depo, making it impossible to add a new Flywheel with the same reward token

`unstakeAndWithdraw` inside `BoostAggregator` could lose pendingRewards in certain case

_decrementWeightUntilFree() Possible infinite loop

Claiming accumulated rewards while the contract is underfunded can lead to a loss of rewards