Division-by-Zero on First Withdraw in DLoopCoreBase

Invariant Violation Due to Unchecked Deallocation from Inactive or Unallocated AMO Vaults

Old AmoManager retains token allowance after replacement in `setAmoManager`

The verifyBatchSignatures function may trigger an index out-of-range panic for consensus nodes, due to missing lower-bound check

Attacker can frontrun unstake calls to manipulate withdrawals

postBatch doesn’t check for duplicate signatures resulting in being able to overcome the consensus threshold

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Adversary can win proposals with voting power as low as 4%

[M-3] Anyone can deploy a new `FraxSwapPair` with a Low fee incurring losses to the protocol

Missing Access Control on burnFrom() Function

Missing Handling of Excess Ether in buy() Function

No Time Checks During invest()

Potential Duplicate Participant Entries in participants Array

isBuyed function returns wrong remainingAmount values or buy function is incorrectly implemeted

Automatic token listing missing

Actor can frontrun lz_receive and steal users’ withdrawal

User will be able to use any deposit_token to bridge usdc

Possible DOS of pools leading

Potential Front-Running and DoS Vulnerabilities due to EIP-2612 Usage

Off-by-One Error in Humanity Expiration Time Checks

permanentTotalSupply may be increased twice as much when depositing

Fee on transfer tokens will result in user losses

Users Unable to Claim Removed Tokens Due to Transfer Failures in claimRemovedTokens Function