Phantom Shares Vulnerability in Fee-Charging Vaults Will Block All Swaps Once a Tipping Point is Reached

Missing acceptOwnership() Function Selector Registration Prevents Ownership Transfers

Anyone can transfer approved ERC20 tokens as the payWithERC20 function lacks authorization controls

Users Can Overwrite Existing Locks in veRAACToken Resulting in Permanent Loss of Funds

Incorrect Reward Claim Logic in FeeCollector::claimRewards Causes Denial of Service

RToken's transfer function lead to loss of funds due to incorrect math

Users can borrow more assets than they have deposited as collateral

Any attempt to liquidate a user will fail, because StabilityPool does not hold crvUSD during operational lifecycle

RToken is Not Interest Bearing Due to Broken Liquidity Index Calculation

Double Usage Index Scaling in StabilityPool Liquidation Inflates Required CRVUSD Balance

The total voting power of all veRAAC tokens is wrongly assigned

Interest Accrual Failure Due to Incorrect Scaling in RToken Implementation

Critical Economic Design Flaw in ZENO Zero-Coupon Bond Implementation Leads to Guaranteed User Losses

Incorrect utilization rate forces protocol to issue maximum rewards indefinitely

RToken.transferFrom() Does Not Scale User Balances Due to Stale Liquidity Index

Using balanceOf Instead of Voting Power

`RToken::calculateDustAmount` are incorrectly calculated, leading to not be able to transfer the accrued dust amount

Liquidations are enabled when repayments are disabled, causing borrowers to lose funds without a chance to repay

Emergency revoke in RAACReleaseOrchestrator will freeze revoked RAAC tokens in orchestrator

Inconsistent Scaling in RToken Transfer Functions

Incorrect Period Transition Logic in Reward Distribution

Incorrect reward calculations in tick function

Interest Rate Model Uses Prime Rate Instead of Optimal Rate at Optimal Utilization

The earned yield from the Curve vault can never be utilized when withdrawing or borrowing

Improper Lock State Updates: Misreported Locked Token Data infects Governance Participation, rewards distribution and Harms Protocol Trust.

`FeeCollector::updateFeeType` wrong fee share validation leads to impossible update for some fee types

Extended Recovery Period After Emergency Shutdown Due to Rate Adjustment Limitations

Incorrect Voting Power Reporting in `veRAACToken.sol::getLockPosition` Function

`LendingPool` yield generated in curve vault is lost and cannot be withdrawn by users

Missing KYC and NFT Ownership Verification for Ecosystem Access