Unauthorized Reallocation in `NudgeCampaign::handleReallocation` and Reward Disruption Vulnerability in `NudgeCampaign::invalidateParticipations`

Unauthorized Token Transfers Due to Missing Caller Verification in PayWithErc20 function

Reward Rate Skew Due to Permissionless Deposits

Infinite Loop in `_getTokenIn()` Causes Out-of-Gas Revert on Multi-Hop Swaps Blocking leveraged Positions from being opened

The user can send tokens to any address by using two bridge transfers, even when transfers are restricted.

Multiple Delegation by Double Spending Boosts and Lack of Delegation Tracking in BoostController Contract

RAACNFT mint function receives funds to address(this) but has no way of withdrawing them

RToken's transfer function lead to loss of funds due to incorrect math

Critical Economic Design Flaw in ZENO Zero-Coupon Bond Implementation Leads to Guaranteed User Losses

Stability pool does not consider RToken balance increase when DEToken is withdrawn

[H-2] Lack of Emergency Pause in `BaseGauge::stake` and `BaseGauge::withdraw

Users Can Lose Funds and Collateral by Repaying Loans After Liquidation Grace Period Expiry

Workingsupply would always be overwritten in boostcontroller.sol impacting reward calculations

Emergency revoke in RAACReleaseOrchestrator will freeze revoked RAAC tokens in orchestrator

Inconsistent Scaling in RToken Transfer Functions

Users Cannot Remove Their Own Boost Delegation, Causing Potential Lock-In

`FeeCollector::updateFeeType` wrong fee share validation leads to impossible update for some fee types

Cross-Chain Signature Replay Attack Due to User-Supplied `domainSeparator` and Missing Deadline Check

Refund Underflow in Swap Refund Logic Leading to Locked Funds

BuyerAgent Batch Purchase Failure Due to Asset Transfer or Approval Revocation

Incorrect set up and logic of `referralInfoMap` in `SystemConfig::updateReferrerInfo` function

TokenManager - Unlimited withdraw

[Low-01] Missing Access Control in `CapitalPool::approve()` Function Allows any User to call it to set Allowance Amount `TokenContract` to `type(uint256).max`.

Incorrect logic for checking isFillPriceValid

`LiquidationBranch::checkLiquidatableAccounts()` executes `for` loop with wrong values, causing array out of bounds to be recovered, the program will not work as expected

A malicious User can DOS all offchain orders making them unexecutable and leaving the protocol in an insolvent state. Also all offchain Trades can also be DOSed for honest parties that do not meet the fillorder requirements (no try and catch)

payable Modifier in TradingAccountBranch::createTradingAccountAndMulticall

UpgradeBranch.sol does not use _disableInitializers()

entryPoint() function cannot be overridden

Incompatibility with Multisig Wallets in `TempleGold::send` Function

Chainlink's `latestRoundData` might return stale or incorrect results

`Keepers` does not implement EIP712 correctly on multiple occasions

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

Can mint NFT with the desired attributes by reverting transaction

Any User can mint any amount of WStETH in the WStETHMock.sol and StETHMock.sol