Minting zero tokens when underlyingToken is not Ether in cashIn()

Since the cost of launching a new pool is minimal, an attacker can maliciously consume VirtualTokens.

LP for v3 pool of underlying tokens with decimals != 18 would have incorrect NFT metadata

Inflated `GaugeV3` rewards when period is skipped

Malicious actors can manipulate the `cross_chain_callback` callback

There is no refund mechanism in `ChakraSettlement.processCrossChainCallback` or `ChakraSettlementHandler.receive_cross_chain_callback` function

Unrestricted Changes to Token Settings Allow Artists to Alter Critical Features

Reentrancy Vulnerability Allows Bypass of Cooldown, Leading to Unfair Reward Extraction Through Flash Loan

Exposed `_removeCredIdPerAddress` & `_addCredIdPerAddress` allows anyone to cause issues to current holders as well as upcoming ones

Forced endTime extension in updateArtSettings() allows attacker to mint more tokens

`PhiFactory:claim` Potentially Causing Loss of Funds If `mintFee` Changed Beforehand

Refunds sent to incorrect addresses in certain cases

Incorrect Fee Handling Prevents Protocol from Updating Fees

Contract `PhiNFT1155` can't be paused

Attacker can DOS user from selling shares of a credId

PhiNFT1155 contracts continue sending fees/royalties to old protocol destination address

Lack of data validation when users are claiming their art allows malicious user to bypass signature/merkle hash to provide unapproved `ref_`, `artId_` and `imageURI`

Admin cannot remove an existing role in case of address compromise

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

Invalid validation allows users to unlock early

Single plot can be occupied by multiple renters

in `farmPlots()` an underflow in edge case leading to freeze of funds (NFT)

[H-01] Miscalculation in `_farmPlots` function could lead to a user unable to unstake all NFTs

Invalid validation in _farmPlots function allowing a malicious user repeated farming without locked funds

When `LockManager.lockOnBehalf` is called from `MigrationManager`, the user's `reminder` will be set to 0, resulting in fewer received `MunchableNFTs`

Missing disapproval check in `LockManager.sol::approveUSDPrice` allows simultaneous approval and disapproval of a price proposal

Users can farm on zero-tax land if the landlord locked tokens before the LandManager deployment

Vultisig whitelisting can be bypassed by anyone

Vultisig should be burnable

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

Invalid validation allows users to unlock early

Single plot can be occupied by multiple renters

in `farmPlots()` an underflow in edge case leading to freeze of funds (NFT)

[H-01] Miscalculation in `_farmPlots` function could lead to a user unable to unstake all NFTs

Invalid validation in _farmPlots function allowing a malicious user repeated farming without locked funds

When `LockManager.lockOnBehalf` is called from `MigrationManager`, the user's `reminder` will be set to 0, resulting in fewer received `MunchableNFTs`

Missing disapproval check in `LockManager.sol::approveUSDPrice` allows simultaneous approval and disapproval of a price proposal

Users can farm on zero-tax land if the landlord locked tokens before the LandManager deployment

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

`NoyaValueOracle.getValue` returns an incorrect price when a multi-token route is used

Base tokens like USDT, USDC having different decimals on different chains can have their TVL updated incorrectly

`AccountingManager#totalWithdrawnAmount` should reflect tokens actually transferred to users, instead of expected transfers

The modifier `onlyExistingRoute` works incorrectly

AccountingManager has no correct implementations of the core ERC-4626 functions `deposit`, `mint`, `withdraw` and `redeem`

`Keepers` does not implement EIP712 correctly on multiple occasions

Incorrect modifier condition

Stale price can be used in `getValueFromChainlinkFeed` function

Contract does not earn any boosted position rewards in Maverick Connector

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

Inability to perform partial liquidations allows huge positions to accrue bad debt in the system

User can get their Kerosene stuck because of an invalid check on withdraw

`VaultManagerV2.sol::burnDyad` function is missing an `isDNftOwner` modifier, allowing a user to burn another user's minted DYAD

Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position

No incentive to liquidate small positions could result in protocol going underwater

Taiko L1 - Proposer can maliciously cause loss of funds by forcing someone else to pay prover's fee

Users will never be able to withdraw their claimed airdrop fully in ERC20Airdrop2.sol contract

Incorrect __Essential_init() function is used in TaikoToken making snapshooter devoid of calling snapshot()

retryMessage unable to handle edge cases.

Holders array can be manipulated by transferring or burning with amount 0, stealing rewards or bricking certain functions

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

Player can mint more fighter NFTs during claim of rewards by leveraging reentrancy on the `claimRewards() function `

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

FighterFarm:: reroll won't work for nft id greator than 255 due to input limited to uint8

Constraints of dailyAllowanceReplenishTime and allowanceRemaining during mint() can be bypassed by using alias accounts & safeTransferFrom()

Burner role can not be revoked

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Fighter created by mintFromMergingPool can have arbitrary weight and element

When `DecentBridgeExecutor.execute` fails, funds will be sent to a random address

Users will lose their cross-chain transaction if the destination router do not have enough WETH reserves.

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

DecentEthRouter.sol#_bridgeWithPayload() - Any refunded ETH (native token) will be refunded to the DecentBridgeAdapter, making them stuck

Missing access control on UTB:receiveFromBridge allows UTB swaps to be executed without spending bridge fees while bypassing fee/swap instruction signature verification

Attack to make ````CurveSubject```` to be a ````HoneyPot````

Unauthorized Access to setCurves Function

Protocol and referral fee would be permanently stuck in the Curves contract when selling a token

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

Withdrawing with amount = 0 will forcefully set name and symbol to default and disable some functions for token subject

Incorrect amounts of ETH are transferred to the DAO treasury in `ERC20TokenEmitter::buyToken()`, causing a value leak in every transaction

MaxHeap.sol: Already extracted tokenId may be extracted again.

positionMapping for last element in heap is not updated when extracting max element

Bidder can use donations to get VerbsToken from auction that already ended.

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Attacker can reenter to mint all the collection supply

Multiple mints can brick any form of `salesOption` 3 mintings

Bidder Funds Can Become Unrecoverable Due to 1 second Overlap in `participateToAuction()` and `claimAuction()`

Approved address can approve other addresses for an owner's safe

SafeHandler contract doesn't have any method to call to `ODSafeManager.allowHandler()`, lead to DOS in some function

Old permissions in handlerCan mapping are still attached to the safeHandler of a transferred safe

`ODSafeManager#allowSAFE()` cannot be executed either by the proxy contract or any other address.

All tokens can be stolen from `VirtualAccount` due to missing access modifier

No deposit cross-chain calls/communication can still originate from a removed branch bridge agent

Users may be forced into long lock times to be able to undelegate back to themselves.

Delegated votes are locked when owner lock is expired

Incorrect function call in LybraRETHVault's getAssetPrice