Multiple Delegation by Double Spending Boosts and Lack of Delegation Tracking in BoostController Contract

Delegation Boost Not Usable by Delegatees

Treasury Balance Tracking Bypass in FeeCollector

Gauge reward system can be gamed with repeatedly stake/withdraw

Gauge reward period can be extended indefinitely

Incorrect DebtToken totalSupply Scaling Breaks Interest Rate Calculations

There is no logic checking for RAACNFT price staleness before minting it

Concurrent Oracle Fulfillments Overwrite House IDs, which leads to Incorrect Pricing

The Deleverage Will apply twice on market USDtoken minting

Unclaimed Rewards Loss Due to Missing Validation in `VaultRouterBranch.stake()`

Users could potentially use their own referral code

Transferring deposit NFT doesn't check if the receiver exceeds the 100 deposit limit

Receipt NFTs will be permanently locked inside `buyOrder` when a user fills a buy order

Old owner of receipt NFTs will still be a manager in the corresponding vault contract allowing them to perform perform unwanted actions with veNFTs

Subtraction in `variance()` will revert due to underflow

Platform fees withdrawal will sweep oracle agents earned fees

Request responses and validations can be mocked leading to extraction of fees and/or forcing other generators to lose their fees by making them outliers

`V2AMO` is not compatible with Aerodrome and Velodrome routers due to different pool address creation logic

Unable to call some functions in the incentive contracts with onlyOwner modifier because of incorrect initialization leading to stuck funds

Attacker can steal a user's repaid protected listing if the buyer opts to withdraw their asset at another time

[H-01] Auction tokens will be lost forever when auction ends without bids

TokenManager - Unlimited withdraw