Pending rewards are lost on stake/unstake

collectFees will revert with eth-dca

CashbackClaim.startTime is never used

_convertToUSDCPrecision USDC on BNB has 18 decimals

setMintRate does not update index

set_gauge_controller accepts only empty gc

Unbound loop in _updateInterest

Rewards rate can be diluted by attacker

configDirC not freed

Malicious proposer can include empty transactions in a valid proposal

Chain halt as VerifyVoteExtensionHandler is not guaranteed to run

ASA-2025-003

postBatch: inflating votingPower

Malicious validator can steal withdraw tokens

requestor can prevent postResult

postRequest can be front run

updateParticipation confuses CurrencyAmount with TokenAmount

Auction can be intentionally failed by bidding above poolSaleLimit ratio

Protocol loses portion of accumulated fees after each Auction

Bidders may halt bidding by getting themselves blacklisted

execute : target can be any address, including Token. stealing funds

Orders created in same block will override each other

OracleLess.createOrder passes wrong owner to procureTokens

cancelOrder and adminCancelOrder can be blocked by using blacklisted recipient address. permanent dos

PythOracle.currentValue will return only if price is stale

OracleLess missing maxPendingOrders check, leading to OOG in fillOrder, cancelOrder

UsualX.withdraw subtracts from totalDeposits incorrect fee amount