Majority consensus threshold not enforced for even number of nodes

Replayable recovery requests allow attacker to permanently block account recovery

Unable to upload guardian shares on social backup

Attacker will inject malicious pool addresses to corrupt protocol calculations

adjustMaker ignores recipient parameter when removing liquidity, violating interface contract

Unauthorized Access to setCurves Function

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

Missing check in `Cooler.provideNewTermsForRoll` which allows lender to modify loan terms

Missing `deadline` param in `swapExactAmountOut()` allowing outdated slippage and allow pending transaction to be executed unexpectedly.

Return value of low level `call` not checked.

Rounding error in `WUSDA` can result in loss of user funds, especially when manipulated by an attacker

Reentrancy issue with the 'withdraw' method of USDC. All tokens could be drained.

Missing access control on `mintRebalancer()` and `burnRebalancer()`

Incorrect decimals used in the `getPriceUSD` function which uses Chainlink oracle to fetch real time price.

Chainlink's `latestRoundData` could return stale or incorrect result (and no implemention of try-catch block)

Usage of `transfer()` in place of `safeTransfer()` for ERC20 tokens.