`AutoExit` could receive a reward calculated from the entire position's fund even if `onlyFee` is true in `AutoExit.execute()`.

Users can lend and borrow above allowed limitations

Users can request withdrawal without limit since `availableShares` is calculated incorrectly in `requestWithdrawal` function

In `settleFundingFees` function of `FlatcoinVault` contract, `_globalPositions.marginDepositedTotal` is updated incorrectly.

Players can raise their opportunities to be a winner unfairly by depositing `0 eth` to rounds using `depositETHIntoMultipleRounds` function.

Since `_depositEth` function doesn't check if the maximum number of deposits is reached, the round may wouldn't be drawn when it should be.

When forming POL the DAO will end up stucked with DAI and USDS tokens that cannot handle.

Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale

Unauthorized Access to setCurves Function

Protocol and referral fee would be permanently stuck in the Curves contract when selling a token

onBalanceChange causes previously unclaimed rewards to be cleared

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

`ERC20TokenEmitter::buyToken` function mints more tokens to users than it should do

Since buyToken function has no slippage checking, users can get less tokens than expected when they buy tokens directly

Protocol mints less rsETH on deposit than intended