Non-Determinism in GetAndUpdateActiveTopicWeights Function

Unchecked Error in ResetChurnableTopics Function

Lack of Authentication in OnRecvPacket

Silent Failure in MustNewDecFromString Can Lead to Node Crashes

Incomplete Zero-Height Genesis Preparation in Allora Network

Lack of Timeout leads Resource Exhaustion in API Client

Incomplete Topic Processing Due to Continuous Retry on Pagination Error

Use of .transfer()

First Vault deposit exploit can break share calculation

Tokens can be lost If the Join Fee is %100

Privileged function on the liquidity exit

Deflationary tokens are not handled uniformly across the protocol

Fee is directly get by user argument

Possible vulnerability depends on the Openzeppelin Security Advisory

Unsafe casting to uint128

Should check return data from chainlink aggregators

Signature Checks could be passed when SignatureDecoder.recoverKey() returns 0

ORACLE DATA FEED CAN BE OUTDATED YET USED ANYWAYS WHICH WILL IMPACT ON PAYMENT LOGIC

Putty position tokens may be minted to non ERC721 receivers

Admin Can Broke All Functionality Through Weth Address

`_harvest` has no slippage protection when swapping `auraBAL` for `AURA`

Protocol fee rate can be arbitrarily modified by the owner and the new rate will apply to all existing orders

CNote updates the accounts after sending the funds, allowing for reentrancy

No cap on fees can result in a DOS in BathToken.withdraw()

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

Owner can set the feeRate to be greater than 100% and cause all future calls to `exercise` to revert

amount requires to be updated to contract balance increase (1)

The Gravity.sol should have pause/unpause functionality

Protocol doesn't handle fee on transfer tokens

The owner can mint all of the NFTs.

Many unbounded and under-constrained variables in the system can lead to unfair price or DoS

Critical variables shouldn't be changed after they are set

Non-standard ERC20 Tokens are Not Supported

SuperVault's leverageSwap and emptyVaultOperation can become stuck

Chainlink's latestRoundData might return stale or incorrect results

Lack of `safeApprove(0)` prevents some registrations, and the changing of stakers and LP tokens

Chainlink's latestRoundData might return stale or incorrect results

Seven ways in which the Owner and Proxy Admin can make users lose funds ("rug vectors")

Chainlink pricer is using a deprecated API

Centralisation RIsk: Owner Of `RoyaltyVault` Can Take All Funds

createProject can be frontrun

Ineffective Handling of FoT or Rebasing Tokens

Reputation Risks with `contractOwner`

Improper Upper Bound Definition on the Fee

Owners have absolute control over protocol

Incompatibility With Rebasing/Deflationary/Inflationary token

[WP-H0] When transferring tokens not in `whitelist` on Ethereum to Terra with `CrossAnchorBridge.depositStable()`, the funds may get frozen

Possible Wrong bAsset Rewards/Borrow limits Calculation

Liquidations can be run on the bogus Oracle prices

Seven ways in which the Owner and Proxy Admin can make users lose funds ("rug vectors")

Unconstrained fee

[ConcurRewardPool] Possible reentrancy when claiming rewards

Oracle data feed is insufficiently validated.

Missing validation on latestRoundData

Usage of deprecated ChainLink API in `EIP1271Wallet`

No upper limit on `coolDownTimeInSeconds` allows funds to be locked sNOTE owner.

Eth sent to Timelock will be locked in current implementation

Incompatibility With Rebasing/Deflationary/Inflationary tokens

ERC20 return values not checked

deposit() function is open to reentrancy attacks

Vaults with non-UST underlying asset vulnerable to flash loan attack on curve pool

Incompatibility With Rebasing/Deflationary/Inflationary tokens

Attacker can get extremely cheap synth by front-running create Pool

SHOULD CHECK RETURN DATA FROM CHAINLINK AGGREGATORS

Missing duplicate veto check

SHOULD CHECK RETURN DATA FROM CHAINLINK AGGREGATORS

transfer return value is ignored

ERC20 return values not checked

Contract does not work with fee-on transfer tokens

Backdated _startTimestamp can lead to loss of funds

Chainlink's `latestRoundData` might return stale or incorrect results

Frontrunning in UniswapHandler calls to UniswapV2Router

OZ ERC1155Supply vulnerability

_totalSupply not updated in _transferMint() and _transferBurn()

Improper Upper Bound Definition on the Fee

ERC20 return values not checked

Prevent Minting During Emergency Exit

Attacker can get extremely cheap synth by front-running create Pool

SHOULD CHECK RETURN DATA FROM CHAINLINK AGGREGATORS

Missing duplicate veto check

Unchecked transfers

No Transfer Ownership Pattern

Null check in pricePerShare

Unchecked ERC20 transfer calls

Chainlink's `latestRoundData` might return stale or incorrect results

Unsafe handling of underlying tokens

Missing event & timelock for critical onlyAdmin functions

ERC20 return values not checked

Prevent Minting During Emergency Exit

Missing validation on latestRoundData

Usage of deprecated ChainLink API in `EIP1271Wallet`

No upper limit on `coolDownTimeInSeconds` allows funds to be locked sNOTE owner.