User can steal refunded tokens through `withdrawToNativeChain`

Incorrect swap amount in `GatewayTransferNative::onCall` could cause insolvency when refunding tokens

Insuficcient slippage procetion could cause the user to spend more

Draining of excess approval through `GatewayTransferNative::withdraw`

`realTax` will always be calculated as 0 in `removeValueSingle` due to using incorrect variable

Users get taxed twice in `ValueFacet::removeValueSingle`

User can take pending rewards by moving the positions out of range

Loss of fees due to prematurily increasing staked values

User can backrun an admin calling `setEX128` and steal the difference in tokens

Users calling `ValueFacet::removeValueSingle`, will not get trimmed rewards

Any user can delay staking rewards for tokens with low decimals with little cost

Incorrect repayment calculation when withdrawing and the borrowed token is `token1`

`Leverager::deposit`, does not support multi-hop swaps with `exactOutput`

`Strategy::mainPosition` will never be 50/50 when tick spacing is 1

MergeTgt has no handling if TGT_TO_EXCHANGE is exceeded during the exchange period

The user can send tokens to any address by using two bridge transfers, even when transfers are restricted.

Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

Cross-Chain Signature Replay Attack Due to User-Supplied `domainSeparator` and Missing Deadline Check

`marketRate` should not apply when redeeming leverage tokens and collateral ratio is above the minimum

Incorrect decimals in `BondOracleAdapter` will cause it to return incorrect `marketRate`

Malicious user can leverage flash loans to claim all coupon rewards

Auction will not be able to pull reserve tokens, due to updating the period after deploying the auction

Insufficient fee tracking mechanism might cause the protocol to claim more/less fees.

`sharesPerToken` still gets snapshotted even if the respective auction failed to sell off the reserve tokens

Tokens might get stuck in `BalancerRouter` if `BalancerRouter::joinBalancerAndPredeposit` amount exceeds the reserve cap

Due to rounding down in `Auction::slotSize` the auction might not be able to sell, even if all of the slots get filled

`Auction::endAuction` might pull some of the unclaimed fees

`SecondSwap_Marketplace` vesting listing order affects how much the vesting buyers can claim at a given step

LamboFactory can be permanently DoS-ed due to createPair call reversal

Minting zero tokens when underlyingToken is not Ether in cashIn()

`Flashlender.sol#flashLoan()` should use `mintProfit()` to mint fees. The current implemetation may lead to locked up WETH in PoolV3.

Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

`PositionAction4626::increaseLever` will always revert

Period after the BribeRewarder's start period will not accumulate as much rewards, causing users to claim less and leaving the last depositor without rewards

Denial of Service (DoS) in Voting Mechanism for All Pools

attacker can vote twice with same staking tokens

MasterchefV2 does not account for fee on transfer tokens, causing innacurate acounting and possible stealing of funds

Error in access control check allows users to add to positions of other users

Insufficient Reward Validation Allows Malicious Bribes to Block Legitimate Rewards for Multiple Periods

users can vote multiple times with same stake tokens when emergancyUnlock is set

Possible DoS When calling `GammaTradeMarket::_removePosition` will cause user position to not be able to get liquidated

Chainlink's `latestRoundData` might return stale or incorrect results

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

Attacker can increase the length of `withdrawQueue` by withdrawing 0 amount of tokens frequently

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

No incentive to liquidate small positions could result in protocol going underwater