Any user can steal refunded tokens by calling claimRefund.

An attacker can steal another user's claim.

The first borrower will be able to take funds regardless collateral.

The liquidator's funds will be locked after calling liquidateBorrow.

Natural Logarithm Function Silently Accepts Invalid Non-Positive Inputs

Public payWithERC20 function will make the attacker steal from users.

Incorrect agency logic will render the whitelist logic ineffective.

Incorrect Reward Claim Logic in FeeCollector::claimRewards Causes Denial of Service

Token Accounting Mismatch Between tick() and mintRewards() in RAACMinter

Flawed Boost Multiplier Calculation Always Yields Maximum Boost

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Ineffective proposal threshold validation allows setting arbitrary high values

`Market::configureConnectedVaults` Will Always Fail with Array Out of Bounds Error

Users can claim more that their actual allotment

_onTransferReceived() does not work as intended

Incorrectly assigned `decimal1` parameter upon decoding