Any user can delay staking rewards for tokens with low decimals with little cost

Incorrect repayment calculation when withdrawing and the borrowed token is `token1`

`Leverager::deposit`, does not support multi-hop swaps with `exactOutput`

`Strategy::mainPosition` will never be 50/50 when tick spacing is 1

`marketRate` should not apply when redeeming leverage tokens and collateral ratio is above the minimum

Incorrect decimals in `BondOracleAdapter` will cause it to return incorrect `marketRate`

Malicious user can leverage flash loans to claim all coupon rewards

Auction will not be able to pull reserve tokens, due to updating the period after deploying the auction

Insufficient fee tracking mechanism might cause the protocol to claim more/less fees.

`sharesPerToken` still gets snapshotted even if the respective auction failed to sell off the reserve tokens

Tokens might get stuck in `BalancerRouter` if `BalancerRouter::joinBalancerAndPredeposit` amount exceeds the reserve cap

Due to rounding down in `Auction::slotSize` the auction might not be able to sell, even if all of the slots get filled

`Auction::endAuction` might pull some of the unclaimed fees

`SecondSwap_Marketplace` vesting listing order affects how much the vesting buyers can claim at a given step

LamboFactory can be permanently DoS-ed due to createPair call reversal

Minting zero tokens when underlyingToken is not Ether in cashIn()

`SuperPool` has the ability to be paused but does not stop any functions when pausing it

`Flashlender.sol#flashLoan()` should use `mintProfit()` to mint fees. The current implemetation may lead to locked up WETH in PoolV3.

Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

`PositionAction4626::increaseLever` will always revert

User can DoS withdrawals and transfers by delegating 1024 times to an NFT owner

Claimable gauge distributions are locked when `Voter::killGaugeTotally` or `Voter::pauseGauge` is called

User can DoS new stable pairs by minting and swapping small amounts

Period after the BribeRewarder's start period will not accumulate as much rewards, causing users to claim less and leaving the last depositor without rewards

Denial of Service (DoS) in Voting Mechanism for All Pools

attacker can vote twice with same staking tokens

MasterchefV2 does not account for fee on transfer tokens, causing innacurate acounting and possible stealing of funds

Error in access control check allows users to add to positions of other users

Insufficient Reward Validation Allows Malicious Bribes to Block Legitimate Rewards for Multiple Periods

users can vote multiple times with same stake tokens when emergancyUnlock is set

Possible DoS When calling `GammaTradeMarket::_removePosition` will cause user position to not be able to get liquidated

Chainlink's `latestRoundData` might return stale or incorrect results

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

Attacker can increase the length of `withdrawQueue` by withdrawing 0 amount of tokens frequently

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

No incentive to liquidate small positions could result in protocol going underwater