Owner can set the feeRate to be greater than 100% and cause all future calls to `exercise` to revert

Owner can steal input tokens

Seven ways in which the Owner and Proxy Admin can make users lose funds ("rug vectors")

Centralisation RIsk: Owner Of `RoyaltyVault` Can Take All Funds

Gas costs will likely result in any fees sent to the Splitter being economically unviable to recover.

`msg.value` is Sent Multipletimes When Performing a Swap

First depositor can break minting of shares

Owner can steal input tokens

Seven ways in which the Owner and Proxy Admin can make users lose funds ("rug vectors")

Oracle data feed is insufficiently validated.

`sNOTE.sol#_mintFromAssets()` Lack of slippage control

Usage of deprecated ChainLink API in `EIP1271Wallet`

No upper limit on `coolDownTimeInSeconds` allows funds to be locked sNOTE owner.

Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom

Owner of LaunchEvent token has the ability to DOS attack the event

TwapOracle doesn't calculate VADER:USDV exchange rate correctly

Minting and burning synths exposes users to unlimited slippage

All user assets which are approved to VaderPoolV2 may be stolen

Unused slippage params

Redemption value of synths can be manipulated to drain `VaderPool` of all native assets

Paying IL protection for all VaderPool pairs allows the reserve to be drained.

VaderReserve does not support paying IL protection out to more than one address, resulting in locked funds

VaderPoolV2 incorrectly calculates the amount of IL protection to send to LPs

`VaderPoolV2` minting synths & fungibles can be frontrun

`USDV.sol` Mint and Burn Amounts Are Incorrect

Oracle doesn't calculate USDV/VADER price correctly

Council veto protection does not work

Redemption value of synths can be manipulated to drain `VaderPoolV2` of all native assets in the associated pair

LPs of VaderPoolV2 can manipulate pool reserves to extract funds from the reserve.

Oracle returns an improperly scaled USDV/VADER price

Reserve does not properly apply prices of VADER and USDV tokens

VaderPoolV2 owner can steal all user assets which are approved VaderPoolV2

Should a Chainlink aggregator become stuck in a stale state then TwapOracle will become irrecoverably broken

Permissioned nature of `TwapOracle` allows owner to manipulate oracle

VaderPoolV2.rescue results in loss of funds rather than recoverability

No way to remove GasThrottle after deployment

Unbounded loop in TwapOracle.update can result in oracle being locked

VaderPoolV2.mintFungible exposes users to unlimited slippage

Oracle can be manipulted to consider only a single pair for pricing

No way to remove GasThrottle from VaderPool after deployment

VaderReserve.reimburseImpermanentLoss improperly converts USDV to VADER

Users can lock themselves out of being able to convert VETH, becoming stuck with the deprecated asset

Missing cap on LicenseFee

Publisher can lock all user funds in the Basket in order to force a user to have their bond burned

TwapOracle doesn't calculate VADER:USDV exchange rate correctly

Minting and burning synths exposes users to unlimited slippage

All user assets which are approved to VaderPoolV2 may be stolen

Unused slippage params

Redemption value of synths can be manipulated to drain `VaderPool` of all native assets

Paying IL protection for all VaderPool pairs allows the reserve to be drained.

VaderReserve does not support paying IL protection out to more than one address, resulting in locked funds

VaderPoolV2 incorrectly calculates the amount of IL protection to send to LPs

`VaderPoolV2` minting synths & fungibles can be frontrun

`USDV.sol` Mint and Burn Amounts Are Incorrect

Oracle doesn't calculate USDV/VADER price correctly

Council veto protection does not work

Redemption value of synths can be manipulated to drain `VaderPoolV2` of all native assets in the associated pair

LPs of VaderPoolV2 can manipulate pool reserves to extract funds from the reserve.

Oracle returns an improperly scaled USDV/VADER price

Reserve does not properly apply prices of VADER and USDV tokens

VaderPoolV2 owner can steal all user assets which are approved VaderPoolV2

Should a Chainlink aggregator become stuck in a stale state then TwapOracle will become irrecoverably broken

Permissioned nature of `TwapOracle` allows owner to manipulate oracle

VaderPoolV2.rescue results in loss of funds rather than recoverability

No way to remove GasThrottle after deployment

Unbounded loop in TwapOracle.update can result in oracle being locked

VaderPoolV2.mintFungible exposes users to unlimited slippage

Oracle can be manipulted to consider only a single pair for pricing

No way to remove GasThrottle from VaderPool after deployment

VaderReserve.reimburseImpermanentLoss improperly converts USDV to VADER

Users can lock themselves out of being able to convert VETH, becoming stuck with the deprecated asset

Approved spender can spend too many tokens