Missing staleness check in PythOracle can lead to forced liquidations and theft of funds from borrowers.

Funds can be stolen from any user by frontrunning their `claim()` transaction.

Lack of access control in the `MarketFactory.updateExtension()` function.

Corrupted storage after upgrade in the `MarketFactory` contract.

Anyone can cancel other accounts `nonces` and `groups`, leading to griefing their `Intents`.

The `Market.migrate()` function has no effect and does not migrate `PositionStorageGlobal` to the new storage layout, breaking the migration assumption.

The `RiskParameter.liquidationFee` variable is not treated and validated as a percentage value, leading to breaking protocol invariants.

Epoch mismatch in FjordPoints and FjordStaking leads to user being able to stake and unstake instantly for rewards

Corruptible upgradability pattern.

Incorrect `BUILD` integration in the `RedemptionVaultWIthBUIDL` contract.

Contradiction between the Specification and the Code in the `RedemptionVaultWIthBUIDL` contract.

Incorrect validation of the daily redemption limit in the `MBasisRedemptionVaultWithSwapper` contract.

Incorrect set up and logic of `referralInfoMap` in `SystemConfig::updateReferrerInfo` function

TokenManager - Unlimited withdraw

Taker of bid offer will loss assets without any benefit if he calls the DeliveryPlace::settleAskMaker() for partial settlement.

Native token withdrawal fails until manually approved

`DeliveryPlace::settleAskTaker` Has Incorrect Access Control

Formulaic Error Rounds Down Causing Total Loss Of Funds For Bid Takers During Abort

Malicious user can drain protocol by bypassing `ASK` offer abortion validation in `Turbo` mode

The `DeliveryPlace::settleAskTaker()` function mistakenly uses `makerInfo.tokenAddress` to update the `TokenBalanceType.PointToken` in the `userTokenBalanceMap` mapping, leading to a critical error.

Token withdrawal fails until someone manually approves spending

[H-4] The function `PreMarkets::listOffer` charges an incorrect collateral amount, allowing users to manipulating collateral rates and drain the protocol's funds

listOffer maker can settle offer via settleAskMaker() in Turbo settle type.

Fund Withdrawal Flaw in preMarket Allows Users to Avoid Settlement Obligations

Missing abort status check allows bid taker to steal users funds

Rounding Discrepancies in Deposit Amount Calculations

[Low-01] Missing Access Control in `CapitalPool::approve()` Function Allows any User to call it to set Allowance Amount `TokenContract` to `type(uint256).max`.

`listOffer` Unsafely References Fungible Identifiers

Wrong parameter in event AbortBidTaker()

Missing validation in `PreMarkets.abortBidTaker()` leading to funds lock.

When the `DeliveryPlace::settleAskMaker()` function calls `tokenManager.addTokenBalance()` to update the user balance, the `TokenBalanceType` parameter uses an operation, resulting in a balance update error

Loss of rewards due to continuous griefing attack.

Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws

Missing `approve()` in the `setMarket()` function will lead to a Denial of Service (DoS) in the `harvest()` function.

Malicious users can extend other users' deposit locks in `GaugeV4` by calling `OptionTokenV4.exerciseLp()` on them with minimal oToken values and the maximum discount.

Token price can be manipulated in `OptionTokenV4` when adding liquidity during the `exerciseLp()` or `exerciseVe()` function calls.

Griefing/blocking when exercising oToken via `OptionTokenV4.exerciseVe()` call.

Rewards from the previous epoch are lost and locked in the Voter contract for Gauges that are paused or killed in the current epoch.

Off-by-One error in the `RewardsDistributorV2._checkpoint_total_supply()` leading to incorrect reward calculation.

Rounding errors in the `_k()` calculation for stable pairs can allow an attacker to drain all tokens from the pair.

Incorrect calculation of team emissions in the `Minter` contract.

Incorrect calculation of TWAP in OptionTokenV4.getTimeWeightedAveragePrice() function.

`Voter.replaceFactory()` and `Voter.addFactory()` functions are broken.

Governor cannot `poke()` a tokenId if votes were passed on to a Gauge that was later paused or killed.

Loss of user-earned rewards due to lack of recovery mechanism and insufficient reward token balances in the VaultRewarderLib _claimRewardToken() function

Premature collateralization check in the BaseStakingVault.initiateWithdraw() function can leave accounts undercollateralized

Incorrect assumption that 1 stETH equals 1 ETH when calculating TVL

In `Vault.calculateStack()` function the `ratiosX96Value` value is rounded down

Liquidators can bypass remaining negative margin check and leave the loss to the protocol

One pair can steal another pair's Uniswap liquidity during `reallocate()` call if both pairs operate on the same Uniswap pool and both have the same upper and lower tick during reallocation.

Chainlink's `latestRoundData` might return stale or incorrect results

Invalid validation allows users to unlock early

Missing disapproval check in `LockManager.sol::approveUSDPrice` allows simultaneous approval and disapproval of a price proposal

When `DecentBridgeExecutor.execute` fails, funds will be sent to a random address

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

Missing access control on UTB:receiveFromBridge allows UTB swaps to be executed without spending bridge fees while bypassing fee/swap instruction signature verification

users still forced to follow previously set cooldownDuration even when cooldown is off (set to zero) before unstaking

``FULL_RESTRICTED`` Stakers can bypass restriction through approvals

If governance removes a gauge, user's voting power for that gauge will be lost.

Pumps are not updated in the shift() and sync() functions, allowing oracle manipulation