The user can send tokens to any address by using two bridge transfers, even when transfers are restricted.

Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

RAACNFT mint function receives funds to address(this) but has no way of withdrawing them

NFTs Get Permanently Locked in Stability Pool After Liquidation

Hardcoded Exchange Rate Leading to Incorrect Deposits and Redemptions

There is no logic checking for RAACNFT price staleness before minting it

RAACNFT wrongly suppose crvUSD to be equal to 1 dollar

Missing Slippage Protection in `LendingPool.deposit()`

Emergency Timelock Bypass: No Enforced 1-Day Delay for Emergency Actions

`FeeCollector::updateFeeType` wrong fee share validation leads to impossible update for some fee types

Lack of incentives for users to call LendingPool::initiateLiquidation allows extensive delay between when health factor dropped below threshold and when grace period starts

Missing TokenURI Function in RAACNFT contract Makes All NFTs Look the Same and Unusable

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors