Payment::payWithERC20 lacks access control

Whitelist can be bypassed, making createAgentWithWhitelistUsers redundant

Attacker can call SymmStaking::notifyRewardAmount to extend periodFinish and "dilute" rewards

Vesting::_resetVestingPlans reverts in legitimate cases

Leverager::_checkWithinlimits incorrectly calculates positionLeverage

Leverager::withdraw repayFromWithdraw error

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

BondOracleAdapter::latestRoundData Returns X96 Result

lToken Not Considered in MarketRate

An Attacker Can Almost Completely Drain the Protocol

Attacker Can Consistently Cause a Denial-of-Service (DoS) in Auctions

redeemRate Division Before Multiplication

Pool Contract: Comparison Between Different Decimals

Owner fee will be locked in `UpliftOnlyExample` contract due to incorrect recipient address in `UpliftOnlyExample::onAfterSwap`

fees sent to QuantAMMAdmin is stuck forever as there is no function to retrieve them

quantAMMSwapFeeTake used for both getQuantAMMSwapFeeTake and getQuantAMMUpliftFeeTake.

Incorrect Handling Of Nft Self-Transfer In afterupdate Hook Allows The Owner To Grief A Buyer By Rendering The Nft Unable To Redeem Its Associated Liquidity, Resulting In A Loss Of Funds

Transferring deposit NFT doesn't check if the receiver exceeds the 100 deposit limit

Underflow in `claimable` DOSing `claim` Function

Incorrect referral fee calculations

Accumulated ETH in the LamboVEthRouter will be irretrievable

ReputationMarket::_calculateBuy Overcharges Fees

Users Can Avoid Some Fees in EthosVouch

No Slippage Protection When Selling Tokens

DebitaIncentives::updateFunds Does Not Check All validPairs

SuperPool does not use Pausable modifiers

No incentive to liquidate

SuperPool is not ERC 4626 compliant

Forger Entities can forge more times than intended

Pause and unpause functions are inaccessible

Discrepancy between nfts minted, price of nft when a generation changes & position of `_incrementGeneration()` inside `_mintInternal()` & `_mintNewEntity()`

BribeRewarder.deposit Reverts

MlumStaking._requireOnlyOperatorOrOwnerOf incorrect implementation

Inconsistency Calculating MlumStaking, Position avgDuration

MlumStaking.harvestPositionsTo Invalid Implementation

Most users won't be able to claim their share of Uniswap fees

Transfer of ILOPool NFT token to different account allows for users to bypass the pool's `maxCapPerUser` invariant

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

No incentive to liquidate small positions could result in protocol going underwater

Value of kerosene can be manipulated to force liquidate users

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

Unauthorized Access to setCurves Function

Protocol and referral fee would be permanently stuck in the Curves contract when selling a token

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

Rewards can be drained because of lack of access control

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

Anyone can pause AuctionHouse in _createAuction