Withdrawal transactions can get stuck if output root is reproposed

Truncation in `OrderValidator` can lead to resetting the fill and selling more tokens

Wrong items length assertion in basic order

Merkle Tree criteria can be resolved by wrong tokenIDs

StakedCitadel depositors can be attacked by the first depositor with depressing of vault token denomination

Owner can steal input tokens

[WP-H3] `saleRecipient` can rug buyers

New vest reset `unlockBegin` of existing vest without removing vested amount

KnightingRound tokenOutPrice changes

yVault: First depositor can break minting of shares

Setting new controller can break YVaultLPFarming

Reentrancy issue in `yVault.deposit`

`setDebtInterestApr` should accrue debt first

Undercollateralized loans possible

Dysfunctional `CToken._acceptAdmin` due to lack of function to assign `pendingAdmin`

Can force borrower to pay huge interest

Borrowers lose funds if they call `repayAndCloseLoan` instead of `closeLoan`

Might not get desired min loan amount if `_originationFeeRate` changes

Oracle price does not compound

`OracleRef` assumes backup oracle uses the same normalizer as main oracle

Updating rate limit for addresses restores their entire buffer amount

Setting new buffer does not reduce current buffer to cap

Div by 0

First depositor can break minting of shares

Withdrawal delay can be circumvented

`getSharesForAmount` returns wrong value when `totalAssets == 0`

Wrong formula when add fee `incentivePool` can lead to loss of funds.

Can deposit native token for free and steal funds

[WP-H23] Improper `tokenGasPrice` design can overcharge user for the gas cost by a huge margin

`LiquidityProviders`: Setting new LP token will break contract

`LiquidityProviders`: Setting new liquidity pool will break contract

`sharesToTokenAmount`: Division by zero

Unsupported tokens cannot be withdrawn

Owners have absolute control over protocol

Incompatibility With Rebasing/Deflationary/Inflationary token

Spend limit on owner can be bypassed

`bEth` Rewards May Be Depleted By Flashloans or Whales

Unbonding validator random selection can be predicted

Sandwich attack on astroport sweep

Staking tokens can be stolen

Simple interest calculation is not exact

Missing receiver validation in `withdrawFrom`

`LockedBalance` library should drop parameters to 96/32 bits

`MAX_ROYALTY_RECIPIENTS_INDEX` set too low

Private sale spoofing

EIP-712 signatures can be re-used in private sales

`permitAndMulticall()` May Be Used to Steal Funds Or as a Denial Of Service if `_from` Is Not The Message Sender

Reentrancy in `MessageProxyForSchain` leads to replay attacks

NFT owner can change tokenURI

Not compatible with Rebasing/Deflationary/Inflationary tokens

[WP-H1] Transactions can be replayed when a connectedChain is removed and then reconnected

TokenManagerERC20.sol uses transferFrom() instead of safeTransferFrom()

denial fo service

InsuranceFund depositors can be priced out & deposits can be stolen

`Oracle.getUnderlyingPrice` could have wrong decimals

`settleFunding` will exceed block gas with more markets and activity

ERC4626 mint uses wrong `amount`

ERC4626 does not work with fee-on-transfer tokens

`ERC4626RouterBase.withdraw` should use a **max** shares out check

Slurp can be frontrun with fee increase

[WP-M2] Wrong implementation of `TurboSafe.sol#less()` may cause boosted record value in TurboMaster bigger than actual lead to `BoostCapForVault` and `BoostCapForCollateral` to be permanently occupied

Distributions must not match actual bribes

Wrong slippage check

SafeERC20.sol is imported but not used in the transferBribes() function

[WP-H0] `DEFAULT_ADMIN_ROLE` of `BribeVault` can steal tokens from users' wallets

Cashback on referral

Approvals not cleared when transferring profile

Profile creation can be frontrun

Name squatting

Ineffective Whitelist

Basis points constant BPS_MAX is used as minimal fee amount requirement

StakedCitadel depositors can be attacked by the first depositor with depressing of vault token denomination

Owner can steal input tokens

[WP-H3] `saleRecipient` can rug buyers

New vest reset `unlockBegin` of existing vest without removing vested amount

KnightingRound tokenOutPrice changes

Shelter `claimed` mapping is set with `_to` address and not `msg.sender`

`ConvexStakingWrapper._calcRewardIntegral()` Can Be Manipulated To Steal Tokens From Other Pools

[WP-H8] `ConvexStakingWrapper.sol#_calcRewardIntegral` Wrong implementation can disrupt rewards calculation and distribution

Wrong reward token calculation in MasterChef contract

Repeated Calls to Shelter.withdraw Can Drain All Funds in Shelter

Fee-on-transfer token donations in `Shelter` break withdrawals

`StakingRewards` reward rate can be dragged out and diluted

[WP-H16] `MasterChef.sol` A `depositor` can deposit an arbitrary amount without no cost

[WP-H29] `StakingRewards.sol` `recoverERC20()` can be used as a backdoor by the `owner` to retrieve `rewardsToken`

DAO proposals can be executed by anyone due to vulnerable TimelockController

`CompoundToNotionalV2.notionalCallback` ERC20 return values not checked

Access restrictions on `CompoundToNotionalV2.notionalCallback` can be bypassed

Access restrictions on `NotionalV1ToNotionalV2.notionalCallback` can be bypassed

`TokenHandler.safeTransferOut` does not work on non-standard compliant tokens like USDT

`TokenHandler.safeTransferIn` does not work on non-standard compliant tokens like USDT

Liquidity token value can be manipulated

Treasury cannot claim COMP tokens & COMP tokens are stuck

Allowance checks not correctly implemented

`CompoundToNotionalV2.enableToken` ERC20 missing return value check

nTokenERC20Proxy emits events even when not success

`TokenHandler.setToken` ERC20 missing return value check

Missing validation on latestRoundData

`sNOTE.sol#_mintFromAssets()` Lack of slippage control

Usage of deprecated ChainLink API in `EIP1271Wallet`

Wrong token allocation computation for token decimals != 18 if floor price not reached

Users can lose value in emergency state

Pair creation can be denied

ERC20 return values not checked

Uninitialized `RocketJoeStaking.lastRewardTimestamp` can inflate `rJoe` supply

Initial pool deposit can be stolen

backdoor in `withdrawRedundant`

[WP-M17] `Vault.sol` Tokens with fee on transfer are not supported

deposit() function is open to reentrancy attacks

Withdrawers can get more value returned than expected with reentrant call

Vaults with non-UST underlying asset vulnerable to flash loan attack on curve pool

unsponsor, claimYield and withdraw might fail unexpectadly

The reentrancy vulnerability in _safeMint can allow an attacker to steal all rewards

`_safeMint` Will Fail Due To An Edge Case In Calculating `tokenId` Using The `_generateNewTokenId` Function

Wrong liquidity units calculation

Swap token can be traded as fake base token

`getAddedAmount` can return wrong results

4 Synths can be minted with fake base token

Missing access restriction on `lockUnits/unlockUnits`

Wrong slippage protection on Token -> Token trades

Anyone can curate pools and steal rewards

Anyone can list anchors / curate tokens

Wrong `calcAsymmetricShare` calculation

Tokens can be stolen through `transferTo`

Transfer fee is burned on wrong accounts

Vault rewards can be gamed

Vault rewards last claim time not always initialized

Vault Weight accounting is wrong for withdrawals

Proposals can be cancelled

`VaderRouter._swap` performs wrong swap

`VaderRouter.calculateOutGivenIn` calculates wrong swap

TWAPOracle might register with wrong token order

Minting and burning synths exposes users to unlimited slippage

All user assets which are approved to VaderPoolV2 may be stolen

`VaderPoolV2` minting synths & fungibles can be frontrun

Vader TWAP averages wrong

Init function can be called by everyone

`flashProof` is not flash-proof

Interest debt is capped after a year

Canceled proposals can still be executed

Completed proposals can be voted on and executed again

Handle transfers of different ERC20 tokens

Governor's veto protection can be exploited

Vests can be denied

`TWAPOracle.getRate` does not scale the ratio

Unclear `TwapOracle.consult` algorithm

Wrong `lastBuyBackPrice`

Missing overflow check in `flashLoan`

`distribute` DoS on missing `receiveRewards` implementation

`getRandomTokenIdFromFund` yields wrong probabilities for ERC1155

A vault can be locked from MarketplaceZap and StakingZap

Unbounded iteration in `NFTXEligiblityManager.distribute` over `_feeReceivers`

Manager can grief with fees

Tokens can get stuck in `NFTXMintRequestEligibility`

Randomization of NFTs returned in redeem/swap operations can be brute-forced

Rewards can be stolen

Low-level call return value not checked

transfer return value is ignored

SingleNativeTokenExitV2 assumes first exchange holds the outputToken

ERC20 return values not checked

Yearn token <> shares conversion decimal issue

Aave's share tokens are rebasing breaking current strategy code

SavingsAccount withdrawAll and switchStrategy can freeze user funds by ignoring possible strategy liquidity issues

Extension voting threshold check needs to rerun on each transfer

Rewards can be claimed multiple times

Chainlink's `latestRoundData` might return stale or incorrect results

Re-entrancy in `settleAuction` allow stealing all funds

Unsafe approve would halt the auction and burn the bond

AaveVault does not update TVL on deposit/withdraw

Bad redirects can make it impossible to deposit & withdraw

User deposits don't have min. return checks

Users can avoid paying vault fees

Admin can break `_numberOfValidTokens`

UniswapV3's path issue for `swapExactOutput`

Potential huge arbitrage opportunities / MPL price decrease

Reward token not correctly recovered

Tokens can be stolen when `depositToken == rewardToken`

Frontrunning in UniswapHandler calls to UniswapV2Router

Wrong permissions on `reassignGlobalAdmin`

Bonding doesn't work with fee-on transfer tokens

`_getFirstSample` returns wrong sample if count < sampleMemory

`UniswapHandler.maltMarketPrice` returns wrong decimals

Slippage checks when adding liquidity are too strict

Approvals not cleared after key transfer

Referrer discount token amount can be manipulated

Missing scaling factor in `recordKeyPurchase`?

Inaccurate fees computation

Support of different ERC20 tokens

Key transfer will destroy key if from==to

`OverlayV1UniswapV3Market` computes wrong market liquidity

_totalSupply not updated in _transferMint() and _transferBurn()

Improper Upper Bound Definition on the Fee

`Controller.setCap` sets wrong vault balance

`Vault.withdraw` mixes normalized and standard amounts

`Vault.balance()` mixes normalized and standard amounts

Vault treats all tokens exactly the same that creates (huge) arbitrage opportunities.

An attacker can steal funds from multi-token vaults

wrong YAXIS estimates

`YAxisVotePower.balanceOf` can be manipulated

ERC20 return values not checked

`Vault.withdraw` sometimes burns too many shares

token -> vault mapping can be overwritten

VaultHelper deposits don't work with fee-on transfer tokens

`Controller.inCaseStrategyGetStuck` does not update balance

Wrong liquidity units calculation

Swap token can be traded as fake base token

`getAddedAmount` can return wrong results

4 Synths can be minted with fake base token

Missing access restriction on `lockUnits/unlockUnits`

Wrong slippage protection on Token -> Token trades

Anyone can curate pools and steal rewards

Anyone can list anchors / curate tokens

Wrong `calcAsymmetricShare` calculation

Tokens can be stolen through `transferTo`

Transfer fee is burned on wrong accounts

Vault rewards can be gamed

Vault rewards last claim time not always initialized

Vault Weight accounting is wrong for withdrawals

Proposals can be cancelled

`VaderRouter._swap` performs wrong swap

`VaderRouter.calculateOutGivenIn` calculates wrong swap

TWAPOracle might register with wrong token order

Minting and burning synths exposes users to unlimited slippage

All user assets which are approved to VaderPoolV2 may be stolen

`VaderPoolV2` minting synths & fungibles can be frontrun

Vader TWAP averages wrong

Init function can be called by everyone

`flashProof` is not flash-proof

Interest debt is capped after a year

Canceled proposals can still be executed

Completed proposals can be voted on and executed again

Handle transfers of different ERC20 tokens

Governor's veto protection can be exploited

Vests can be denied

`TWAPOracle.getRate` does not scale the ratio

Unclear `TwapOracle.consult` algorithm

Locked funds are debited twice from user during tokenization leading to fund loss

`ERC20ConvictionScore`'s `governanceDelta` should be subtracted when user is not a governor anymore

`ERC20ConvictionScore._updateConvictionScore` uses stale credit score for `governanceDelta`

`Withdrawable.withdraw` does not decrease `pendingWithdrawals`

Incorrect type conversion in the contract `ABC` makes users unable to burn FSD tokens

Anyone Can Arbitrarily Call `FSDVesting.updateVestedTokens()`

Beneficiary cant get `fairSideConviction` NFT unless they only claim once, and only after it's fully vested

ERC20ConvictionScore._writeCheckpoint` does not write to storage on same block

Conviction totals not updated during tokenization

`ERC20ConvictionScore` allows transfers to special TOTAL_GOVERNANCE_SCORE address

`ERC20ConvictionScore.acquireConviction` implements wrong governance checks

Should check return data from Chainlink aggregators

Swaps are not split when trade crosses target price

Overwrite benRevocable

Unchecked transfers

Approved spender can spend too many tokens

WrappedIbbtcEth contract will use stalled price for mint/burn if updatePricePerShare wasn't run properly

liquidation factor < collateral factor for Sigma type

Debt accrual is path-dependant and inaccurate

Changing engine.nft contract breaks vaults

UniswapV2/SushiwapLPAdapter update the wrong token

UniswapV2TokenAdapter does not support Sushiswap-only assets

regerralFeePool is vulnerable to MEV searcher

Unchecked ERC20 transfer calls

Chainlink's `latestRoundData` might return stale or incorrect results

Swap.sol implements potentially dangerous transfer

`unstake` should update exchange rates first

Signature replay attacks for different identities (nonce on wrong party)

QuickAccManager Smart Contract signature verification can be exploited

`borrow` must `accrueInterest` first

Rebalance will fail if a market has high utilization

Rebalance will fail due to low precision of percentages

`UnionToken` should check whitelist on `from`?

`depositAndFix` can be made to fail

`exitTempusAMM` can be made to fail

Insurance slippage reimbursement can be used to steal insurance fund

Wrong price scale for `GasOracle`

No check transferFrom() return value

Use of deprecated Chainlink API

Deposits don't work with fee-on transfer tokens

`uncommit` sends tokens to the wrong user

Wrong keeper reward computation

The formula of number of prizes for a degree is wrong

Deposits don't work with fee-on transfer tokens

Wrong inequality when adding/removing liquidity in current price range

`ConcentratedLiquidityPoolManager`'s incentives can be stolen

Unsafe cast in ConcentratedLiquidityPool burn leads to attack

Burning does not update reserves

Wrong usage of `positionId` in `ConcentratedLiquidityPoolManager`

ConcentratedLiquidityPoolHelper: getTickState() might run out of gas

Cannot claim reward

Incentive should check that it hasn't started yet

`TridentNFT.permit` should always check `recoveredAddress != 0`

Unsafe handling of underlying tokens

return value of 0 from ecrecover not checked

Previously created markets can be overwritten

Reward computation is wrong

`LendingPair.liquidateAccount` does not accrue and update cumulativeInterestRate

`LendingPair.liquidateAccount` fails if tokens are lent out

Total LP supply & total debt accrual is wrong

safeTransferFrom in TransferHelper is not safeTransferFrom

Chainlink - Use latestRoundData instead latestAnswer to run more validations

`LendingPair.withdrawUniPosition` should accrue debt first

Supply part of the accrued debt can be stolen

Use of deprecated Chainlink API

Re-entrancy in `settleAuction` allow stealing all funds

Unsafe approve would halt the auction and burn the bond

`HybridPool`'s reserve is converted to "amount" twice

Flash swap call back prior to transferring tokens in indexPool

Index Pool always swap to Zero

Unsafe cast in IndexPool mint leads to attack

IndexPool initial LP supply computation is wrong

`ConstantProductPool.burnSingle` swap amount computations should use balance

Router's `complexPath` percentagePaths don't work as expected

`_depositToBentoBox` sometimes uses both ETH and WETH

`withdrawFromWETH` always reverts

`HybridPool`'s `flashSwap` sends entire fee to `barFeeTo`

SushiToken transfers are broken due to wrong delegates accounting on transfers

`PostAuctionLauncher.sol#finalize()` Adding liquidity to an existing pool may allows the attacker to steal most of the tokens

`Controller.setCap` sets wrong vault balance

`Vault.withdraw` mixes normalized and standard amounts

`Vault.balance()` mixes normalized and standard amounts

Vault treats all tokens exactly the same that creates (huge) arbitrage opportunities.

An attacker can steal funds from multi-token vaults

wrong YAXIS estimates

`YAxisVotePower.balanceOf` can be manipulated

ERC20 return values not checked

`Vault.withdraw` sometimes burns too many shares

token -> vault mapping can be overwritten

VaultHelper deposits don't work with fee-on transfer tokens

`Controller.inCaseStrategyGetStuck` does not update balance

`veCVXStrategy.manualRebalance` has wrong logic

`SettV3.transferFrom` block lock can be circumvented

`CvxLocker.setBoost` wrong validation

DAO proposals can be executed by anyone due to vulnerable TimelockController

`CompoundToNotionalV2.notionalCallback` ERC20 return values not checked

Access restrictions on `CompoundToNotionalV2.notionalCallback` can be bypassed

Access restrictions on `NotionalV1ToNotionalV2.notionalCallback` can be bypassed

`TokenHandler.safeTransferOut` does not work on non-standard compliant tokens like USDT

`TokenHandler.safeTransferIn` does not work on non-standard compliant tokens like USDT

Liquidity token value can be manipulated

Treasury cannot claim COMP tokens & COMP tokens are stuck

Allowance checks not correctly implemented

`CompoundToNotionalV2.enableToken` ERC20 missing return value check

nTokenERC20Proxy emits events even when not success

`TokenHandler.setToken` ERC20 missing return value check

Missing validation on latestRoundData

`sNOTE.sol#_mintFromAssets()` Lack of slippage control

Usage of deprecated ChainLink API in `EIP1271Wallet`

Unchecked ERC20 transfers can cause lock up

anyone can call function sponsor

Market-specific pause is not checked for sponsor

Deposits can be denied by abusing `maxContractBalance`

`RCNftHubL2.safeTransferFrom` not accoring to spec

Parameter updates not propagated

Deposits don't work with fee-on transfer tokens

CompositeMultiOracle returns wrong decimals for prices?

ERC20Rewards returns wrong rewards if no tokens initially exist

ERC20Rewards breaks when setting a different token

TimeLock cannot schedule the same calls multiple times

No ERC20 safe* versions called

copy paste error in _batchConfirmOutstandingPendingActions

Incorrect balance computed in `getUsersConfirmedButNotSettledSynthBalance()`

Prevent markets getting stuck when prices don't move

latestMarket used where marketIndex should have been used

`redeemToken` can fail for certain tokens

Old yield source still has infinite approval

Use of safeApprove will always cause approveMax to revert

Inconsistent balance when supplying transfer-on-fee or deflationary tokens

Single under-funded protocol can break paying off debt

`_doSherX` optimistically assumes premiums will be paid

Incorrect internal balance bookkeeping

Members lose SPARTA tokens in removeLiquiditySingle()

SynthVault rewards can be gamed

SynthVault withdraw forfeits rewards

Missing slippage checks

Dividend reward can be gamed

Pool.sol & Synth.sol: Failing Max Value Allowance

Result of transfer / transferFrom not checked

Pools can be created without initial liquidity

Pool: approveAndCall sets unnecessary approval

Synth: approveAndCall sets unnecessary approval

SynthVault deposit lockup bypass

Missleading onlyDAO modifiers

BondVault `BASE` incentive can be gamed

Block usage of addCuratedPool

Approval is not reset if the call to IFulfillHelper fails

Router liquidity on receiving chain can be double-dipped by the user

Anyone can arbitrarily add router liquidity

Malicious router can block cross-chain-transfers

Signatures use only tx ID instead of entire digest

Reward computation is wrong

`LendingPair.liquidateAccount` does not accrue and update cumulativeInterestRate

`LendingPair.liquidateAccount` fails if tokens are lent out

Total LP supply & total debt accrual is wrong

safeTransferFrom in TransferHelper is not safeTransferFrom

Chainlink - Use latestRoundData instead latestAnswer to run more validations

`LendingPair.withdrawUniPosition` should accrue debt first

Supply part of the accrued debt can be stolen

Use of deprecated Chainlink API

`Buoy3Pool.safetyCheck` is not precise and has some assumptions

implicit underflows

Usage of deprecated ChainLink API in `Buoy3Pool`

Early user can break minting

BaseVaultAdaptor assumes `sharePrice` is always in underlying decimals

Insurance slippage reimbursement can be used to steal insurance fund

Wrong price scale for `GasOracle`

No check transferFrom() return value

Use of deprecated Chainlink API

Deposits don't work with fee-on transfer tokens

`uncommit` sends tokens to the wrong user

Wrong keeper reward computation

BadgerYieldSource balanceOfToken share calculation seems wrong

`YearnV2YieldSource` wrong subtraction in withdraw

withdraw timelock can be circumvented

Return values of ERC20 `transfer` and `transferFrom` are unchecked

SafeMath not completely used in yield source contracts

`YieldSourcePrizePool_canAwardExternal` does not work

Unchecked ERC20 transfers can cause lock up

anyone can call function sponsor

Market-specific pause is not checked for sponsor

Deposits can be denied by abusing `maxContractBalance`

`RCNftHubL2.safeTransferFrom` not accoring to spec

Parameter updates not propagated

Deposits don't work with fee-on transfer tokens

Uniswap Oracle uses wrong prices

Undercollateralized vaults' owner can be overwritten

Locked funds are debited twice from user during tokenization leading to fund loss

`ERC20ConvictionScore`'s `governanceDelta` should be subtracted when user is not a governor anymore

`ERC20ConvictionScore._updateConvictionScore` uses stale credit score for `governanceDelta`

`Withdrawable.withdraw` does not decrease `pendingWithdrawals`

Incorrect type conversion in the contract `ABC` makes users unable to burn FSD tokens

Anyone Can Arbitrarily Call `FSDVesting.updateVestedTokens()`

Beneficiary cant get `fairSideConviction` NFT unless they only claim once, and only after it's fully vested

ERC20ConvictionScore._writeCheckpoint` does not write to storage on same block

Conviction totals not updated during tokenization

`ERC20ConvictionScore` allows transfers to special TOTAL_GOVERNANCE_SCORE address

`ERC20ConvictionScore.acquireConviction` implements wrong governance checks

Should check return data from Chainlink aggregators

Approval for NFT transfers is not removed after transfer

Incompatability with deflationary / fee-on-transfer tokens

Missing overflow check in `flashLoan`

`distribute` DoS on missing `receiveRewards` implementation

`getRandomTokenIdFromFund` yields wrong probabilities for ERC1155

A vault can be locked from MarketplaceZap and StakingZap

Unbounded iteration in `NFTXEligiblityManager.distribute` over `_feeReceivers`

Manager can grief with fees

Tokens can get stuck in `NFTXMintRequestEligibility`

Randomization of NFTs returned in redeem/swap operations can be brute-forced

Rewards can be stolen

Low-level call return value not checked

transfer return value is ignored

UniswapConfig getters return wrong token config if token config does not exist

Reward rates can be changed through flash borrows

Wrong liquidity units calculation

Swap token can be traded as fake base token

`getAddedAmount` can return wrong results

4 Synths can be minted with fake base token

Missing access restriction on `lockUnits/unlockUnits`

Wrong slippage protection on Token -> Token trades

Anyone can curate pools and steal rewards

Anyone can list anchors / curate tokens

Wrong `calcAsymmetricShare` calculation

Tokens can be stolen through `transferTo`

Transfer fee is burned on wrong accounts

Vault rewards can be gamed

Vault rewards last claim time not always initialized

Vault Weight accounting is wrong for withdrawals

Proposals can be cancelled

`VaderRouter._swap` performs wrong swap

`VaderRouter.calculateOutGivenIn` calculates wrong swap

TWAPOracle might register with wrong token order

Minting and burning synths exposes users to unlimited slippage

All user assets which are approved to VaderPoolV2 may be stolen

`VaderPoolV2` minting synths & fungibles can be frontrun

Vader TWAP averages wrong

Init function can be called by everyone

`flashProof` is not flash-proof

Interest debt is capped after a year

Canceled proposals can still be executed

Completed proposals can be voted on and executed again

Handle transfers of different ERC20 tokens

Governor's veto protection can be exploited

Vests can be denied

`TWAPOracle.getRate` does not scale the ratio

Unclear `TwapOracle.consult` algorithm

Potential huge arbitrage opportunities / MPL price decrease