Critical Accounting Manipulation via `removeTokenIdAtIndex` Allows Owner to Steal User Principal

Spot Price Dependency in `dexBalances` Allows Share Price Manipulation

Fragile APY Sanity Check in `StNxmOracle` Causes Early Deployment Denial of Service

Accounting Manipulation and Theft via Duplicate Tranche Tracking in `stakeNxm`

Untrusted authorizer in migration flows allows anyone to drain a user’s collateral via `migrateFrom`

FULL-Restricted Staker Can Still Stake by Depositing to an Unrestricted Receiver

`Factory::set_gauge_controller` has inverted guard

Missing accounting update in `claim()` allows unbounded repeat claims by the recipient

Same heartbeat for multiple price feeds is vulnerable

Consensus Threshold Bypass via Duplicate Signer Entries

Incorrect Indexing in `DepositQueue.cancelDepositRequest()` Corrupts Fenwick-Tree Accounting

Transfer-Whitelist Logic Inversion in `ShareManager.updateChecks`

Missing Slippage Protection in `PendlePT_sUSDe._executeInstantRedemption` Enables Sandwich Attacks

Hard-Coded Mainnet WETH Address Breaks All Non-Mainnet Deployments

Zero-Cooldown Withdrawals in EthenaWithdrawRequestManager Permanently Strand Users’ USDe

Early 72-digit adjustment in sqrt will lead to incorrect result exponent calculation

MergeTgt has no handling if TGT_TO_EXCHANGE is exceeded during the exchange period

Incorrect Token Price Validation in KeeperProxy

Creator of one vesting plan can affect vesting plans created by other users.

BuyerAgent Batch Purchase Failure Due to Asset Transfer or Approval Revocation

Potential Uninitialized `entropySlots` Reading in `getNextEntropy`, Causing 0 Entropy Mint

V3Oracle susceptible to price manipulation

Fixed Amount of Gas Sent in Call May Be Insufficient.

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.