The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Holders array can be manipulated by transferring or burning with amount 0, stealing rewards or bricking certain functions

Distribution can be bricked, and double claims by a few holders are possible when owner calls `LiquidInfrastructureERC20::setDistributableERC20s`

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

Possible index out of range in GetVoterIndex could cause ballot to never finalize due to panic

Users can fail to unstake and lose their deserved ETH because malfunctioning or untrusted derivative cannot be removed

Enlist any user in rollover queue

User deposit may never be entertained from deposit queue

Claim not called before blacklisting

maxTrainingDeposit can be bypassed

Break contract functionalities

User deposit/withdrawal/order will get cancelled

Withdraw request can be made without funds - Bypass Withdraw Delay

Withdrawal fee bypass on Liquidation

Improper Validation Of latestRoundData Function

Claimer gets malicious tokens

DOS bounty funding

Multiple accounts can have the same identity

Fee on transfer token not supported

vault.changeAdapter can be misused to drain fees

Users may not claim Erc1155 rewards when the Quest has ended

User may loose rewards if the receipt is minted after quest end time

Challenger can override the 7 day finalization period

Roll is not taking new loan terms

KYCRegistry is susceptible to signature replay attack.

Withdrawals will stuck

Attacker can take loan for Victim

Pause checks are missing on deposit for Private Vault

For a public vault, minimum deposit requirement that is enforced by `ERC4626Cloned.deposit` function can be bypassed by `ERC4626Cloned.mint` function or vice versa when share price does not equal one

Arbitrary transactions possible due to insufficient signature validation

Replay attack (EIP712 signed transaction)

DoS of user operations and loss of user transaction fee due to insufficient gas value submission by malicious bundler

Deposit get stuck

ProtocolDAO lacks a method to take out GGP

wrong reward distribution between early and late depositors because of the late syncRewards() call in the cycle, syncReward() logic should be executed in each withdraw or deposits (without reverting)

Bypass `whenNotPaused` modifier

Admin does not have to wait to call `lastResortTimelockOwnerClaimNFT()`

Duplicate _tokenNameSuffix and _tokenSymbolSuffix will incorrectly update current Market

Manager can get around min reserves check, draining all funds from Collateral.sol

Bypass userWithdrawLimitPerPeriod check

Lock.sol: assets deposited with Lock.extendLock function are lost

Inconsistency in fees

ETH will get stuck if all NFTs do not get sold.

NFTs mintable after Auction deadline expires

`CrossChainExecutor` contracts do not update the necessary states for failing transactions.

Expired streams can be added

Interest rates are incorrect on Liquidation

Anyone can prevent themselves from being liquidated as long as they hold one of the supported NFTs

Data corruption in NFTFloorOracle; Denial of Service

safeTransfer is not implemented correctly

New BAKC Owner Can Steal ApeCoin

NTokenMoonBirds Reserve Pool Cannot Receive Airdrops

Centralization risk: admin can with rug the project by removing asset and price manipulation on oracle.

MintableIncentivizedERC721 and NToken do not comply with ERC721, breaking composability

DOS in user withdrawal

Depositor can spend funds of another Depositor

Rewards can be lost

transferBribes could transfer before proposal deadline + Input validation

[WP-H0] `DEFAULT_ADMIN_ROLE` of `BribeVault` can steal tokens from users' wallets

Owner can transfer all ERC20 reward token out using function recoverERC20

Cancelled auction does not refund last bidder

Incorrect fees will be charged

Underflow will occur

firstBidTime can never be 0

Bond tokens (HLG) can get permanently stuck in operator

Attacker can force chaotic operator behavior

Very critical `Owner` privileges can cause complete destruction of the project in a possible privateKey exploit

initialize function in L2GraphToken.sol, BridgeEscrow.sol, L2GraphTokenGateway.sol, L1GraphTokenGateway.sol can be invoked multiple times from the implementation contract.

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

Improper Validation Of latestRoundData Function

Unregulated joining fees

Centralization risk: admin have privileges: admin can set address to mint any amount of frxETH, can set any address as validator, and change important state in frxETHMinter and withdraw fund from frcETHMinter

Vesting Schedule Start and End Time can be Set in The Past

Reentrancy may allow an admin to steal funds

Use of transfer instead of call

Fee on transfer token not considered - Withdraw will fail

Depeg event can happen at incorrect price

Fee-on-Transfer tokens cause problems in multiple places

StakingRewards: recoverERC20() can be used as a backdoor by the owner to retrieve rewardsToken

StakingRewards.sol#notifyRewardAmount() Improper reward balance checks can make some users unable to withdraw their rewards

Different Oracle issues can return outdated prices

Rewards are not rolled over

Maximum bid will always be used in Auction

Excess eth is not refunded

NFT Owner can stuck Crowdfund user funds

Missing zero approval

Period Size not updated on creating new Pair

State function does not require majority of votes for supporting and passing a proposal

User funds can be lost

Account Closing and liquidation will always fail

Improper Validation Of latestRoundData Function

In `Governance.sol`, it might be impossible to activate a new proposal forever after failed to execute the previous active proposal.

TRSRY: front-runnable `setApprovalFor`

After endorsing a proposal, user can transfer votes to another user for endorsing the same proposal again

Voted votes cannot change after the user are issued with new votes or the user's old votes are revoked during voting

[NAZ-M1] Chainlink's `latestRoundData` Might Return Stale Results

ERC721Checkpointable: delegateBySig allows the user to vote to address 0, which causes the user to permanently lose his vote and cannot transfer his NFT.

ERROR IN UPDATING **_checkpoint** IN THE **increaseUnlockTime** FUNCTION

The current implementation of the VotingEscrow contract doesn't support fee on transfer tokens

Possible to bypass saleConfig.limitPerAccount

Incorrect amount of Collateral moves for Auction

Error in allowance logic

unpaused(p) modifier missing in authRedeem function

transfer() depends on gas consts

`DNSSECImpl.verifySignature` compares strings incorrectly, allowing malicious zones to forge DNSSEC trust chain

Renew of 2nd level domain is not done properly

Fee is being deducted when Put is expired and not when it is exercised.

`acceptCounterOffer()` May Result In Both Orders Being Filled

Putty position tokens may be minted to non ERC721 receivers

Zero strike call options will avoid paying system fee

Malicious Token Contracts May Lead To Locking Orders

Oracle periodSize is very low allowing the TWAP price to be easily manipulated

Burn access control can be bypassed

token transfers in LiquidityReserve and Staking contract don't support deflationary ERC20 tokens, and user funds can be lost if stacking token was deflationary

Functions in the `BatchRequests` contract revert for removed contract addresses

MINIMUM_LIQUIDITY checks missing - Bringing Liquidity below required min

Incorrect withdrawal requested

ERC5095 redeem/withdraw does not update allowances

Lender: no check for paused market on mint

`Redeemer.sol#redeem()` can be called by anyone before maturity, which may lead to loss of user funds

Funds may be stuck when `redeeming` for Illuminate

Illuminate PT redeeming allows for burning from other accounts

Division Before Multiplication Can Lead To Zero Rounding Of Return Amount

Pendle Uses Wrong Return Value For `swapExactTokensForTokens()`

Anyone can set the `baseRatePerYear` after the `updateFrequency` has passed

Anyone can create Proposal Unigov Proposal-Store.sol

It's not possible to execute governance proposals through the GovernorBravoDelegate contract

Incorrect amount taken

Sellers may lose NFTs when orders is matched with `matchOrders()`

Incorrect condition marks valid order as invalid

Protocol fee rate can be arbitrarily modified by the owner and the new rate will apply to all existing orders

Malicious Relayers Could Favor Their Routers

Missing whenNotPaused modifier

_handleExecuteTransaction may not working correctly on fee-on-transfer tokens. Moreover, if it is failed, fund may be locked forever.

`LibDiamond.diamondCut()` should check `diamondStorage().acceptanceTimes[keccak256(abi.encode(_diamondCut))] != 0`

Malicious relayer could exploit sponsor vaults

transferfCash does not work as expected

BkdLocker depositFees can be blocked

Users can claim more fees than expected if governance migrates current rewardToken again by fault.

Duplicate LP token could lead to incorrect deposits

User can lose funds

`VE3DRewardPool` and `VE3DLocker` adds to an unbounded array which may potentially lock all rewards in the contract

User can lose extra rewards

Unused rewards(because of totalSupply()==0 for some period) will be locked forever in VE3DRewardPool and BaseRewardPool

No check for existing extraRewards during push

Owner should be allowed to change feeManager

Wrong reward distribution in Bribe because deliverReward() won't set tokenRewardsPerEpoch[token][epochStart] to 0

RubiconRouter: Excess ether did not return to the user

No cap on fees can result in a DOS in BathToken.withdraw()

`RubiconMarket.sol#isClosed()` always returns false, making the market can not be stopped as designed

```withdrawForETH``` could be used to drain the WETH in ```RubiconRouter.sol```

User will loose funds

User can forfeit other user rewards

Rewards distribution can be delayed/never distributed on AuraLocker.sol#L848

User will lose funds

Duplicate LP token could lead to incorrect reward distribution

Reward can be vested even after endTime

`AuraBalRewardPool` charges a penalty to all users in the pool if the `AuraLocker` has been shut down

User's may accidentally overpay in `buyOption()` and the excess will be paid to the vault creator

SpeedBumpPriceGate: Excess ether did not return to the user

amount requires to be updated to contract balance increase (1)

Admin drains all ERC based user funds using withdrawERC20()

_revokeRole doesn't remove account from roleMember set

Asset Manager can update existing _assetAggregator

Duplicate asset can be added

Seven ways in which the Owner and Proxy Admin can make users lose funds ("rug vectors")

Can force borrower to pay huge interest

Protocol doesn't handle fee on transfer tokens

Users with large `cooldown`s can grief other users

[WP-H7] Infinite approval to an arbitrary address can be used to steal all the funds from the contract

DexManagerFacet: batchRemoveDex() removes first dex only

Anyone can get swaps for free given certain conditions in `swap`.

Duplicate _tokenNameSuffix and _tokenSymbolSuffix will incorrectly update current Market

Manager can get around min reserves check, draining all funds from Collateral.sol

Bypass userWithdrawLimitPerPeriod check

Spend limit on owner can be bypassed

[WP-H4] `anchor_basset_reward` pending yields can be stolen

denial fo service

Liquidations can be run on the bogus Oracle prices

Depositor can spend funds of another Depositor

Rewards can be lost

transferBribes could transfer before proposal deadline + Input validation

[WP-H0] `DEFAULT_ADMIN_ROLE` of `BribeVault` can steal tokens from users' wallets

Undesired behavior

Cashback on referral

Seven ways in which the Owner and Proxy Admin can make users lose funds ("rug vectors")

[WP-H14] `ConvexStakingWrapper`, `StakingRewards` Wrong implementation will send `concur` rewards to the wrong receiver

Repeated Calls to Shelter.withdraw Can Drain All Funds in Shelter

`MasterChef.updatePool()` Fails To Update Reward Variables If `block.number >= endBlock`

Owner can lock tokens in `MasterChef`

Deactivate function can be bypassed

Incorrect unlockTime can DOS withdrawGovernanceAsset

transfer return value is ignored

Collateral parameters can be overwritten

It might not be possible to withdraw tokens from the basket

Malicious tickets can lead to the loss of all tokens

Continue claiming reqrds after numberOfEpochs are over

Backdated _startTimestamp can lead to loss of funds

Storage variable unstreamed can be artificially inflated

Duplicate utoken and usermanager can be added which cannot be deleted

User Fund loss in case of Unsupported Market token deposit