Incorrect UpperTick for VestingPosition in `collectFees()`

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Most users won't be able to claim their share of Uniswap fees

`earlyExitById()` and `exitLateById()` calls near the end of `lockPeriod` are vulnerable to attacks.

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

First depositor can make subsequent depositor lose all of her or his deposit

Attacker Can Frontruns User's Withdrawals To Make Them Reverts Without Costs

No incentive to liquidate when CR <= 1 as asset received < dyad burned

`OUSGInstantManager` will allow Excessive OUSG Token Minting During USDC Depeg Event

onBalanceChange causes previously unclaimed rewards to be cleared

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

Withdrawing with amount = 0 will forcefully set name and symbol to default and disable some functions for token subject

Bonds created in year cross epoch's can lead to lost payouts

No slippage protection for Market functions

Possible arbitrage from Chainlink price discrepancy

Protocol mints less rsETH on deposit than intended

Single host can unfairly skip veto period for proposal that does not have full host support

Some arbitrary proposal calls will fail because executeProposal() in ProposalExecutionEngine is not payable

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Bidder Funds Can Become Unrecoverable Due to 1 second Overlap in `participateToAuction()` and `claimAuction()`

Auction winner can prevent payments via `safeTransferFrom` callback

Soft Restricted Staker Role can withdraw stUSDe for USDe

``FULL_RESTRICTED`` Stakers can bypass restriction through approvals

Approved address can approve other addresses for an owner's safe

Lenders can escape the blacklisting of their accounts because they can move their MarketTokens to different accounts and gain the WithdrawOnly Role on any account they want

Borrower has no way to update `maxTotalSupply` of `market` or close market.

Blocked accounts keep earning interest contrary to the WhitePaper

Rewards cannot be transferred when calling protocol command

Prime.sol - User can claim Prime token without having any staked XVS, because his `stakedAt` isn't reset whenever he is issued an irrevocable token.

All tokens can be stolen from `VirtualAccount` due to missing access modifier

`distribute()` can be front-run by toggling pool status to steal funds

Infinite Votes Possible Due to Incorrect `voiceCredits` Handling

`percentFee` can be avoided.

Multiple Calls to `setMilestones()` Allowed Before Completing First `upcomingMilestone`

Vote Inflation Issue in `_qv_allocate()` Leads to Unfair Fund Distribution in `_distribute()`

Investors claiming their maxDeposit by using the LiquidityPool.deposit() will cause that other users won't be able to claim their maxDeposit/maxMint

withdrawFees does not update checkpoint

Malicious lender can increase loan.amount

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

The peg stability module can be compromised by forcing lowerDepeg to revert.

Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`

Inaccurate swap amount calculation in ReLP leads to stuck tokens and lost liquidity

Can not withdraw RDPX if WETH withdrawn is zero

User that delegate eth to `RdpxV2Core` will incur loss if his delegated eth fulfilled by decaying bonds

Unused funds are not returned and not counted in `GeVault`

User can steal refunded underlying tokens from `initRange` operation inside `RangeManager`

Sandwich attack to steal all ERC-20 tokens in the Fees contract

Fee on transfer tokens will cause users to lose funds

The `borrow` and `refinance` functions can be front-run by the pool lender to set high interest rates

+= and -= are more expensive

Uncheck Arithmetic where overflow/underflow impossible

Using Private Rather Than Public For Constants,Saves Gas

For the borrow(), repay() & startAuction() functions in Lender.sol the public visibility modifiers should be changed to external, to help optimize gas usage