Permissionless `notifyRewardAmount()` function can disrupt rewards distribution

Allocation per user is incorrectly calculated in "updateParticipation()"

Multiple Delegation by Double Spending Boosts and Lack of Delegation Tracking in BoostController Contract

ZENO Token Redemption Returns Negligible USDC Amount Compared to Purchase Price

Attackers can get most of RAACToken rewards by withdrawing dust amount from StabilityPool multiple times

Treasury Balance Tracking Bypass in FeeCollector

Attackers can double voting power and veToken amount by locking and increasing

`MAX_TOTAL_SUPPLY` Bypass in `veRAACToken` via `increase()` Function

Missing StabilityPool Integration in `mintRewards` Function

Treasury Contract Deposit Function Can Be Frontrun To Deny Protocol Operations

Token Accounting Mismatch Between tick() and mintRewards() in RAACMinter

Permanent boost inflation through delegation removal in Boostcontroller.sol

Limited veRaac Token Supply Triggers DoS, Hampering Proper Governance Participation.

Unauthorized Vote Casting Vulnerability

Users can force auctions to fail by redeeming large amounts right before auction ends

Blocklisted bidder can force auction to fail

Incorrect event emitted in `setUpdateWeightRunnerAddress()` function

User can withdraw part of order funds after order was executed

Pseudo-random `orderId` allows to drain protocol

Malicious order executor can completely dran protocol

ETH will be sent to wrong address during liquidation

Lack of access control in `executeSetterFunction()`

Excess ETH sent during liquidation will be stuck forever

User's funds are not transfered during liquidation

Wrong calculation of entry fees leads to overpayment of fees

Wrong calculation of marketFunds leads to losses for other markets.

Lack of slippage protection fot ETH spend/received in ReputationMarket.sol

NFT will be locked in buyOrder

Incentives will not be updated in updateFunds() function

Previous owner can steal unclaimed bribes from new owner of veNFTVault

Protocol does not work with fee-on-transfer tokens

Repayment will revert due to wrong balance mismatch check

Anyone can break accounting of rewards from Convex

StrategyPassiveManagerVelodrome does not take into account unharvested fees

`Keepers` does not implement EIP712 correctly on multiple occasions

`maxDeposit`, `maxMint`, `maxWithdraw`, and `maxRedeem` functions do not return 0 when they should

Anyone can steal pool shares from lender group if no-revert-on-failure tokens are used

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position

Highest bidder can cancel his bid

Missing zero amount check may lead to loss of funds

All claimed rewards will be lost for the users using the account abstraction wallet

Incorrect removal of a council member

Missing deadline check allow pending transactions to be maliciously executed