User funds will be stuck in lending contract due to attacker cancelling other lending orders.

Buying receipts does not change the veNFT manager, allowing manager to perform unwanted operation

Vulnerable Upgradability Pattern due to lack of storage gap implementation

Frontrunner can brick protocol by frontrunning CCIP message on WinnablesPrizeManager

Hardcoded heartbeat duration for `RedstoneOracle.sol` returns stale price

paymentAmountToAddLiquidity is manipulatable, this allow LP stakers to get more tokens if oTokens are exercised

When killGauge and pauseGauge is called, claimable gauge distributions are locked permanently

Once max lock is enabled, the last tokenId can never be disabled, which allows griefing to permanently lock user staked tokens not allowing withdrawal

Accounting logic error leads to LP pool gaining lesser tokens when user stake using trading account

stakeFacet with tokens as isCollateral set does not send tokens to respective pools

RedeemFee will always be 0, causing protocol to not take any redeemFee for each redemption

Submitting mint request using user's trading balance and cancelling it will not refund tokens back to trading account

Redeem Fee internal accounting causes LP pool accounting balance to have lesser tokens.

pairToken prices are not cleared, utilizing expired staled price

Incorrect withdraw queue balance in TVL calculation

DOS of `completeQueuedWithdrawal` when ERC20 buffer is filled

Withdrawals and Claims are meant to be pausable, but it is not possible in practice

burnSharesToWithdrawEarnings causing more asset token withdrawal for users

Mint referrers get 75% of protocol fee shares instead of 50%, causing collection referrers to lose funds

User lose tokens when claim deposit or redeem within the same epoch

Settling with Eigenlayer does not update Epoch count, causing the protocol to lock all the funds.

Chainlink price feed uses BTC, not WBTC. In case of depegging, oracles will become easier to manipulate.

Overinflated rewards updated due to flaw in calling SablierV2ProxyTarget

Attack to make ````CurveSubject```` to be a ````HoneyPot````

Unauthorized Access to setCurves Function

Single token purchase restriction on curve creation enables sniping

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

Improper precision of strike price calculation can result in broken protocol

Incorrect precision assumed from RdpxPriceOracle creates multiple issues related to value inflation/deflation