BuilderWallet `init()` is unprotected/re-initializable, enabling takeover and theft of builder fees

Self-settlement via `dispatchFrom` bypasses refund mechanism allowing underfunded debt settlement

Withdrawing just before a bad debt event can increase losses for remaining liquidity providers

`dispatchFrom()` Liveness DoS via `StaleOracle`: Spot Price Manipulation Blocks Liquidations, Force Exercises, and Premium Settlements

Commission Share-Burn Distribution is JIT-Capturable When `builderCode == 0` (Default)

Borrower can extract unbacked Coin at the expense of the protocol

A single borrower being written off will create unbacked stablecoins for all users

Missing slippage protection in Uniswap V3 liquidity operations

Oracle `sanePrice` does not guard from manipulations after time has passed

Missing tranche update in `extendDeposit` causes loss of stake tracking and rewards

Duplicate tranche tracking

Global Variable Manipulation During Active Draw Alters End Result

Incorrect ticket price reference in JackpotBridgeManager causes user overpayment after price updates

Small stakers can be unable to claim rewards due to an attack

Frontrunning `processRewards` allows attacker to capture unintended rewards

Same heartbeat for multiple price feeds is vulnerable

Multiple Delegation by Double Spending Boosts and Lack of Delegation Tracking in BoostController Contract

Flawed Boost Multiplier Calculation Always Yields Maximum Boost

Lack of enforcement of the `MAX_TOTAL_LOCKED_AMOUNT`

Overwriting Previous Allocations in allocateFunds May Lead to Loss of Cumulative Allocation Data

Missing slippage protection in `AerodromeDexter.sol` `swapExactTokensForTokens()`