stETH edge case in transfer rounding can cause denial of service for depositors and redeemers.

Users may not receive refunds for native tokens if a cross-chain transaction is reverted.

A cross-chain user can drain protocol funds by exploiting token decimal mismatches.

A user can supply collateral via flashloan/flashmint, initiate a cross-chain borrow, and redeem collateral in a single transaction to drain protocol funds.

Users can repeatedly claim the same LEND rewards due to lack of reset after claim.

User can evade liquidation and bridge funds by exploiting cross-chain borrow/collateral invariant

Liquidation can fail permanently due to incorrect `destEid` in `findCrossChainCollateral`, causing liquidator funds to be stuck.

Repayment logic incorrectly updates same-chain borrow balances for cross-chain borrows.

LEND rewards are calculated after balance updates, leading to inaccurate and unfair reward distribution.

A user can over-borrow on multiple chains by exploiting asynchronous cross-chain borrow requests

A user can drain the contract’s ETH balance by spamming cross-chain borrow requests without supplying any collateral.

Borrow limit check may be overly restrictive due to redundant interest scaling in borrow calculation.

Pools Outside of the Reward Zone can keep receiving Blend Tokens

Missing update_rz_emis_data Calls in draw and donate Functions Lead to Incorrect Emissions Distribution

`maxTokenAmountPerUser` limit can be bypassed when currency token has less decimals than the launch token.

PerpetualVault can be completely bricked

ADL can result in unwrapped ETH as output which is not handled

Vaults weth reward is not distributed correctly

Unclaimed Rewards Loss Due to Missing Validation in `VaultRouterBranch.stake()`

Large redeems before fee claims reduce collectible fees

BalancerRouter.sol does not return excess user funds at certain conditions.

Anyone can steal USDT from the protocol using the redeemUSDT function.

_calculateMaxBorrowCollateral function will revert in extreme market conditions leading to liquidations.

V3AMO.sol will not work with some of the protocols it is aimed to integrate with.

The protocol is not compliant with ERC-1504

Wrong accounting in case of using stETH as RA due to 1-2 Wei loss per transfer.

Incorrect pointer set in the ```initialize()``` function leads to broken functionality of RedemptionVaultWithBUIDL.sol

The function ```disable_max_lock``` in VotingEscrow.sol doesn't handle the case when the nft being removed is the last item in the array.

Availability of deposit invariant can be bypassed

OpenRelay.sol does not account for the Layer1 gas fees used in the transaction while calculating the fee to be paid to the relayer.

Distribution can be bricked, and double claims by a few holders are possible when owner calls `LiquidInfrastructureERC20::setDistributableERC20s`

Wrong price feed contract address used in the constructor of the StableOracleWBTC.sol.