Votes counted multiple times and/or governance takeover upon reinitialization

Vote manipulation and griefing in `AdvancedDistributor`

`xcall` transfer may never succeed because of inability to increase relayer fees

Coding logic of the contract upgrading renders upgrading contracts impractical

Supply cap of VariableSupplyERC20Token is not properly enforced

Reentrancy may allow an admin to steal funds

Multiple cross-contract reentrancy vulnerabilities in AccountManager

Liquidation DoS in case of a single collateral token failure

Treasury module is vulnerable to cross-contract reentrancy

`LibDiamond.diamondCut()` should check `diamondStorage().acceptanceTimes[keccak256(abi.encode(_diamondCut))] != 0`

Diamond upgrade proposition can be falsified

Owner can modify the feeRate on existing vaults and steal the strike value on exercise

Use of `.send()` May Revert if The Recipient's Fallback Function Consumes More Than 2300 Gas

Reentrancy at _requestLoan allows requesting a loan without supplying collateral

`DropPerSecond` is not updated homogeneously, the rewards emission can be much higher than expected in some cases

Past state query results are susceptible to manipulation due to multiple states with same block number

cooldown is set to 0 when the user sends all tokens to himself.

Reentrancy in `depositBribeERC20` function

Owner can steal input tokens

Seven ways in which the Owner and Proxy Admin can make users lose funds ("rug vectors")

[WP-H3] `saleRecipient` can rug buyers

Repeated Calls to Shelter.withdraw Can Drain All Funds in Shelter

`MasterChef.updatePool()` Fails To Update Reward Variables If `block.number >= endBlock`

Owner can lock tokens in `MasterChef`

Owner can steal Concur rewards

Unconstrained fee

During stake or deposit, users would not be rewared the correct Concur token, when MasterChef has under-supply of it.

[ConcurRewardPool] Possible reentrancy when claiming rewards

ERC20 return values not checked

It might not be possible to withdraw tokens from the basket

It is possible to "uninitialize" `ERC20Facet` contract

Annualized fee APY dependence on the frequency of executing a function

`totalSupply` may exceed `LibBasketStorage.basketStorage().maxCap`