Variable Overwrite in checkPoolAndGetCenterPrice() Creates Dead-Code Deviation Check, Leaving All V3 Protocol-Owned Liquidity Operations Unprotected

UniswapPriceOracle.validatePrice() TWAP Calculation Flaw

Critical Logic Inversion in Price Guard Allows Flash-Loan Manipulation of Liquidity Operations

changeRanges silently fails when price is out of tick range, sending all liquidity to treasury instead of creating new position

Uniswap oracle validateprice can be griefed per block via `sync()`

Force exercise lacks caller-side bounds for exercise fee

Attackers can bypass The MarketFactory.authorization check

Keepers can lose compensation fee

PositionAction.decreaseLever() fails to consider the loan fee in Flashlender when calculating loanAmount, as a result, the functionanlity will not work when protocolFee != 0.

`PositionAction4626::increaseLever` will always revert

Users can lose their tokens in the gauge

DOS attack by delegating tokens

totalWeight can be wrong and this can cause wrong voting results

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

LiquidateWithReplacement does not charge swap fees on the borrower

_handleERC20Received takes external fees even if the swap router isn't 1inch router

Founders may get less tokens than expected

Bidder Funds Can Become Unrecoverable Due to 1 second Overlap in `participateToAuction()` and `claimAuction()`

Auction winner can prevent payments via `safeTransferFrom` callback

Batched liquidations doesn't distribute bad debt on next batches in the list

Usage of the Wrong borrowing key inside the takeOverDebt() can cause borrowers to lose funds

The borrower may receive lower profits because of slippage

Wrong repay amount inside the liquidate function

maxVoiceCreditsPerAllocator can be bypassed

RFPSimpleStrategy._registerRecipient() cant be usable with useRegistryAnchor==true

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

The peg stability module can be compromised by forcing lowerDepeg to revert.

User can avoid paying high premium price by correctly timing his bond call

accrueInterest is expected to revert when the rate is higher than the maximum allowed rate, which is possible since the utilization can be more than 1

`Vault.mintYieldFee` FUNCTION CAN BE CALLED BY ANYONE TO MINT `Vault Shares` TO ANY RECIPIENT ADDRESS

Users can manipulate observation creation

`drawManager` CAN BE SET TO A MALICIOUS ADDRESS

`_liquidateUser()` should not re-use the same minimum swap amount out for multiple liquidation

all deposit and withdraw function in Convex and Curve nativeLP Strategy, apply slippage on internal pricing; which call real-time on chain price from Curve directly and subject to MEV

No slippage control

Impossible to rebalance with collaterals that have low decimals.

No access control in mint and burn functions.

Chainlink's latestRoundData might return stale or incorrect results

Limit orders are unnecessarily delayed by a block

Lack of slippage check

Missing access control in withdraw() function.

Marketplace owner can front-run and manipulate fees

Protocol doesn’t handle fee on transfer tokens

Challenges can be frontrun with de-leveraging to cause lossses for challengers

POSITION LIMIT COULD BE FULLY REDUCED TO ZERO BY CLONES

Royalty recipients will not get fair share of royalties

DOS of market operations with malicious offers

Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations

Lack of slippage control

Position shouldn't be liquidatable when repay is not allowed.

Chainlink's `latestRoundData` might return stale or incorrect results

`quitPeriod` is effectively always just `1 day`

Use safeTransfer/safeTransferFrom instead of transfer/transferFrom

The borrower can call roll() before lenders toggleRoll() call.

Usage of transfer() may revert.

Use safeTransferFrom() instead of transferFrom().

Use safeTransferFrom() instead of transferFrom() for erc721 transfers

address.call{value:x}() should be used instead of payable.transfer()

Borrower/Lender excessive ETH not refunded and permanently locked in protocol

Attacker can steal funds

Owner can transfer all ERC20 reward token out using function recoverERC20

Lender.mint() May Take The Illuminate PT As Input Which Will Transfer And Mint More Illuminate PT Cause an Infinite Supply

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount