TokenManager - Unlimited withdraw

Native token withdrawal fails until manually approved

The highest bidder for the current auction round is able to claim their collateral in addition to the auctioned tokenId

Reentrancy in `Vesting:claim` allows an attacker to steal tokens

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

Incorrect balance is removed when burning

Rewards can be drained because of lack of access control

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

The transfer of ERC-20 tokens with blacklist functionality in process functions can lead to stuck vaults

Missing minimum token amounts in the emergency contract functions allows MEV bots to take advantage of the protocols emergency situation

Some tokens may cause `GMXEmergency:emergencyWithdraw` to revert if the withdrawn amount is 0

`allocator.voiceCredits` not increased allowing allocators to allocate any amount

No check if bridge already exists

The same signature can be used in different `distribution` implementation causing that the caller who owns the signature, can distribute on unauthorized implementations

Blacklisted STADIUM_ADDRESS address cause fund stuck in the contract forever

DAI Tokens at Risk Due to Lack of address(0) Check in distribute

Sandwich attack to steal all ERC-20 tokens in the Fees contract

WETH staking rewards accumulated before the first staker deposits remain unutilized and stuck in the `Staking` contract

Cannot add vault if it has been removed previously from the LMPVaultRegistry

```managerFeeBps``` is not checked when rebalancing in ```SimpleManager.sol```

Users can add malicious collaterals after bid is accepted

A malicious user could delay their stake from being slashed

Race condition in the ```approve``` function of ```Pool.sol```

Funder may not be able to refund their deposit

Funders may be unable to supply a bounty with all the NFTs needed

A lender is able to prevent repayment of a loan if they are on the token's blocklist

A malicious user can rebalance using any user that has approved the contract to spend quote tokens

Admin does not have to wait to call `lastResortTimelockOwnerClaimNFT()`

First depositor can break minting of shares

Payer cannot recover overspent tokens sent to a stream without cancelling the stream

```isAuctionLive``` could be set to true indefinitely, leading to users being unable to withdraw their assets

Insufficient support for fee-on-transfer tokens

Can call ```matchOrder``` repeatedly for the same order if attacker is bull

Insufficient fee-on-transfer/deflationary token support

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

Incorrect inflation index due to incorrect calculation of ```totalStaked```

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

Sending LINK to the contract before the first deposit could lead to no shares returned for deposits

Can have same plugin multiple times leading to inflated totalSupply

Underflow in ```_previewWithdraw``` could prevent withdrawals

Two address tokens can be withdrawn by the admin even if they are vested

Fee-on-transfer tokens not supported

Index out of bounds error when properties length is more than attributes length breaks minting

Quorum votes have no effect for determining whether proposal is defeated or succeeded when token supply is low

Fund will be stuck if a buyout is started while there are pending migration proposals

Migration: no check that user-supplied `proposalId` and `vault` match

```migrateFractions``` may be called more than once by the same user which may lead to loss of tokens for other users

`fillOrder()` and `exercise()` may lock Ether sent to the contract, forever

Unable to redeem from Notional

Able to mint any amount of PT

Badger rewards from Hidden Hand can permanently prevent Strategy from receiving bribes

Overpayment of native ETH is not refunded to buyer

Calling `unstake()` can cause locked funds

It's not possible to execute governance proposals through the GovernorBravoDelegate contract

RubiconRouter: Excess ether did not return to the user

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

```withdrawForETH``` could be used to drain the WETH in ```RubiconRouter.sol```

The check for value transfer success is made after the return statement in _withdrawFromYieldPool of LidoVault

Possible lost msg.value

Use safeTransferFrom instead of transferFrom for ERC721 transfers

Owner can set the feeRate to be greater than 100% and cause all future calls to `exercise` to revert

Vault is Not Compatible with Fee Tokens and Vaults with Such Tokens Could Be Exploited

User's may accidentally overpay in `buyOption()` and the excess will be paid to the vault creator

Missing check in the updateValset function

Protocol doesn't handle fee on transfer tokens

Many unbounded and under-constrained variables in the system can lead to unfair price or DoS