The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

Put settlement can be anticipated and lead to user losses and bonding DoS

User can avoid paying high premium price by correctly timing his bond call

Change of `fundingDuration` causes "time travel" of `PerpetualAtlanticVault.nextFundingPaymentTimestamp()`

`ethOracle` in `StableOracleDAI` is `addr(0)`

No access control on `mintRebalancer()/burnRebalancer()`

Extra 1e18 scaling in `BuyUSSDSellCollateral()`

Need slippage control for rebalance swap

Spot price in `getOwnValuation()` could be manipulated

`latestRoundData()` has no check for stale price and round completeness

WBTC depeg risk

ERC20 `tranfer()` return value not checked

DoS with malicious collateral contract to manipulate `collateralAddresses[]`

Fee on transfer token support

CHALLENGER_REWARD can be used to drain reserves and free mint

transfer position ownership to `addr(0)` to DoS `end()` challenge

need alternative ways for fund transfer in `end()` to prevent DoS

Challengers and bidders can collude together to restrict the minting of position owner

POSITION LIMIT COULD BE FULLY REDUCED TO ZERO BY CLONES

Reward accounting is incorrect in BathBuddy contract

DOS of market operations with malicious offers

Fee inclusivity calculations are inaccurate in RubiconMarket

Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations

DoS due to external call failure

Steal liquidatable borrower's collateral using rounding down

Steal deposit fund when `deposit()` by exchange rate manipulation

LP token should be transferred to the seller if defaulted

DoS when accruing Premium

Expired protection capital could still be locked

Possible scenario for Signature Replay Attack

Loss of staking yield for stakers when another user stakes in pause/frozen state

RToken permanently insolvent/unusable if a single collateral in the basket behaves unexpectedly

Should Accrue Before Change, Loss of Rewards in case of change of settings

Disabled NFT collateral should not be used to mint debt

Division by zero error can block RewardsPool#startRewardCycle if all multisig wallet are disabled.

wrong reward distribution between early and late depositors because of the late syncRewards() call in the cycle, syncReward() logic should be executed in each withdraw or deposits (without reverting)

Cancellation of minipool may skip MinipoolCancelMoratoriumSeconds checking if it was cancelled before

Inflation rate can be reduce by half at most if it get called every 1.99 interval.

Bypass `whenNotPaused` modifier

Liquidity providers may lose funds when adding liquidity

First depositor can break minting of shares

Malicious user can steal all assets in BondNFT

Incorrect Assumption of Stablecoin Market Stability

Must approve 0 first

Approved operators of Position token can't call Trading.initiateCloseOrder

Centralization risks: owner can freeze withdraws and use timelock to steal all funds

`BondNFT.sol#claim()` needs to correct all the missing epochs

Unreleased locks cause the reward distribution to be flawed in BondNFT

Chainlink price feed is not sufficiently validated and can return stale price

Lock.sol: claimGovFees function can cause assets to be stuck in the Lock contract

Use of `payable.transfer()` Might Render ETH Impossible to Withdraw

Discrepency in the Uniswap V3 position price calculation because of decimals

Fallback oracle is using spot price in Uniswap liquidity pool, which is very vulnerable to flashloan price manipulation

Front-running admin setPrice call allows a single compromised oracle to set any price, allowing the oracle manipulator to drain all protocol funds

During oracle outages or feeder outages/disagreement, the `ParaSpaceFallbackOracle` is not used

`checkOrder()` need access control

Unbounded loop could DoS `withdrawUSDC()/dequeueCrab()` and lock user fund

`latestRoundData()` has no check for round completeness

Users Receive Less Rewards Due To Miscalculations

Underlying assets stealing in `AutoPxGmx` and `AutoPxGlp` via share price manipulation

Reward tokens mismanagement can cause users losing rewards

steal pool profit by timing the `unlock` transaction

transfer return value not checked

non standard ERC20 support

`reclaimContract()` need to check if the order is matched

Attacker may DOS auctions using invalid bid parameters

Incompatibility with fee-on-transfer/inflationary/deflationary/rebasing tokens, on both base tokens and quote tokens, with varying impacts

The lender can draw out extra credit token from borrower's account

Mistakenly sent eth could be locked

Variable balance ERC20 support

address.call{value:x}() should be used instead of payable.transfer()

Steal deposit fund in ERC4626 vault by exchange rate manipulation

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

Bypass paused `redeem()`

`LIEN_TOKEN.ownerOf(i)` should be `LIEN_TOKEN.ownerOf(liensRemaining[i])`

If an auction has no bidder, the NFT ownership should go back to the loan lenders

Steal deposit fund in ERC4626 vault by exchange rate manipulation

Over payment should be returned

Source contract can steal NFTs from users

Bad source of randomness

`_payoutToken[s]()` is not compatible with tokens with missing return value

Transfering funds to yourself increases your balance

Vault exchange rate manipulation in `deposit()`

Unbounded length loop could cause DoS in `_processOrders()`

Underflow in `_previewWithdraw()` causing DoS

`epochsByBuyer[]` can lose records

`latestRoundData()` might return stale or incorrect results

`exp()` function is not accurate when `x/g` is not small

Rewards delay release could cause yields steal and loss

frxETH can be depegged due to ETH staking balance slashing

`getNextValidator()` error could temporarily make `depositEther()` inoperable

Variable balance token causing fund lock and loss

Supply cap of VariableSupplyERC20Token is not properly enforced

Hardcoded USD pegs can be broken

Founders can receive less tokens that expected

The quorum votes calculations don't take into account burned tokens

A proposal can pass with 0 votes in favor at early DAO stages

Auction parameters can be changed during ongoing auction

Steal deposit fund in ERC4626 vault using rounding down error

ERC20 tokens with pause mode could break repay/liquidation functionality

Chainlink `latestRoundData()` might return stale or incorrect results

`activateProposal()` need time delay

Voted votes cannot change after the user are issued with new votes or the user's old votes are revoked during voting

[NAZ-M1] Chainlink's `latestRoundData` Might Return Stale Results

Liquidator might end up paying much more asset than collateral received

Missing upper limit definition in replaceLenderFee() of HomeFi.sol

Add cancel and refund option for Transaction Recovery

transfer() depends on gas consts

Delegate call in `Vault#_execute` can alter Vault's ownership

Oracle periodSize is very low allowing the TWAP price to be easily manipulated

The LP pair underlying price quote could be manipulated