Attacker can utilize function `CdpManager.redeemCollateral()` to break the order of sortedCdps

Lenders can escape the blacklisting of their accounts because they can move their MarketTokens to different accounts and gain the WithdrawOnly Role on any account they want

Borrower has no way to update `maxTotalSupply` of `market` or close market.

Borrowers can escape from paying half of the penalty fees by closing the market, and those remaining penalty fees will be covered by the lender who withdraws last

Borrower can drain all funds of a sanctioned lender

Function WildcatMarketController.setAnnualInterestBips allows for values outside the factory range

Users must pay a lot of fee to claim rewards when they first stake in the OTLM contracts

Adversary can spam tx to stop accuring the rewards

DOS issue in `OTLM` contract when the `payoutToken` revert on transfer 0 token

optionToken can't be exercise right after function `create` is called

Attacker can delist another user's rollover

Users can lose their profit when using a rollover mechanism

Some rollovers can't be processed due to the function `Carousel.delistInRollover`

Users can bypass the fee when depositing in the vault

Copy entire array to memory can lead to DOS in functions `mintDepositInQueue` and `mintRollovers`

Attackers can deposit into vaults after the de-peg event is triggered to steal the funds.

Incorrect treasury address was used in function `VaultFactoryV2.changeTreasury()`

Missing check of oracle's return value

The function `Carousel.mintRollovers()` can be DOS due to the updating `rolloverAccounting[_epochId]`

First depositor of pool can abuse rounding error to steal tokens

User can borrow loan token without having enough collateral tokens

Borrower can call `getCurrentState()` to make the interest can't be accrued

Malicious funders can call `refundDeposit()` after a bounty is closed to make bounty doesn't have enough fund to pay for the winners.

Missing check whether the nft is refunded before transferring the reward to users

Attacker can create a draft tokens and spam deposit to make function `DepositManagerV1.refundDeposit()` out-of-gas.

Attacker can fund malicious tokens to make competitor unable to claim their reward.

Bounty doesn't work as expected with token revert transferring with amount = 0

Missing check of deposit's endTime lead to unable to refundDeposit

`setPayoutScheduleFixed()` can be executed with fewer tiers

After the bounty completely distributed, the remaining tokens can be locked into the contracts

Use `safeTransfer` instead of `transfer`

Attackers can force borrower unable to repay the loan in case debt token is USDC

Rounding error when call function `dodoMultiswap()` can lead to revert of transaction or fund of user

Builder can halve the interest paid to a community owner due to arithmetic rounding

Incorrect initialization of smart contracts with Access Control issue

Proposal which started buyout which fails is able to settle migration as if its buyout succeeded.

Fund will be stuck if a buyout is started while there are pending migration proposals

Steal NFTs from a Vault, and ETH + Fractional tokens from users.

Proposer can `start` a perpetual buyout which can only `end` if the auction succeeds and is not rejected

Cash-out from a successful buyout allows an attacker to drain Ether from the `Buyout` contract

Use of `payable.transfer()` may lock user funds

Options with a small strike price will round down to 0 and can prevent assets to be withdrawn

token transfers in LiquidityReserve and Staking contract don't support deflationary ERC20 tokens, and user funds can be lost if stacking token was deflationary

`_storeRebase()` is called with the wrong parameters

It shouldn’t be possible to create a vault with Cally’ own token

Vault is Not Compatible with Fee Tokens and Vaults with Such Tokens Could Be Exploited

amount requires to be updated to contract balance increase (1)

Use of `.send()` May Revert if The Recipient's Fallback Function Consumes More Than 2300 Gas

_revokeRole doesn't remove account from roleMember set

IndexLogic: An attacker can mint tokens for himself using assets deposited by other users

Wrong shareChange() function (vToken.sol)

Wrong requirement in reweight function (ManagedIndexReweightingLogic.sol)

StakedCitadel doesn't use correct balance for internal accounting

StakedCitadel: wrong setupVesting function name

Funding.deposit() doesn't work if there is no discount set

New vest reset `unlockBegin` of existing vest without removing vested amount

reward will be locked in the farm if no LP join the pool at epoch.startBlock

rewards will be locked if user transfer directly to pool without using deposit function