Bonding Curve Invariant Check Incorrectly Validates SOL Balance Due to Rent Inclusion

Abrupt fee transition from 8.76% to 1% at slot 250 due to incorrect linear decrease formula

Anyone can call `LamboRebalanceOnUniwap.sol::rebalance()` function with any arbitrary value, leading to rebalancing goal i.e. (1:1 peg) unsuccessful.

LamboFactory can be permanently DoS-ed due to createPair call reversal

Minting zero tokens when underlyingToken is not Ether in cashIn()

Since the cost of launching a new pool is minimal, an attacker can maliciously consume VirtualTokens.

Rebalance profit requirement prevents maintaining VETH/WETH peg

Rebalance will be completely dossed if OKX commision rate goes beyond the fee limits

Accumulated ETH in the LamboVEthRouter will be irretrievable

`sellQuote` and `buyQuote` are missing deadline check in `LamboVEthRouter`

Users can prevent protocol from rebalancing for his gain and cause loss of funds for protocol and its users

Block gas limit can be hit due to loop depth

Emergency Unlocking Penalty Makes Long Duration Positions Economically Advantageous

Availability of deposit invariant can be bypassed

Malicious Borrower Cycle Exploits to Inflate Interest Rates

Malicious borrower can evade full liquidation in `CDPVault::liquidatePosition` by repaying small amounts of debt

It is nearly impossble for Liquidators to use `liquidatePosition()` to fully pay off a non bad-debt position.

Rewards might be lost due to the error that _updateRewardIndex() might advance lastBalance without advancing index for a token.

`BalancerOracle::update()` can return stale price

Bringing a position from unsafe to safe by liquidation paritally

Signature replay in `signatureClaim` results in unauthorized claiming of rewards

Availability of deposit invariant can be bypassed

Malicious Borrower Cycle Exploits to Inflate Interest Rates

Malicious borrower can evade full liquidation in `CDPVault::liquidatePosition` by repaying small amounts of debt

It is nearly impossble for Liquidators to use `liquidatePosition()` to fully pay off a non bad-debt position.

Rewards might be lost due to the error that _updateRewardIndex() might advance lastBalance without advancing index for a token.

`BalancerOracle::update()` can return stale price

Bringing a position from unsafe to safe by liquidation paritally

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

Missing disapproval check in `LockManager.sol::approveUSDPrice` allows simultaneous approval and disapproval of a price proposal

Availability of deposit invariant can be bypassed

Malicious Borrower Cycle Exploits to Inflate Interest Rates

Malicious borrower can evade full liquidation in `CDPVault::liquidatePosition` by repaying small amounts of debt

It is nearly impossble for Liquidators to use `liquidatePosition()` to fully pay off a non bad-debt position.

Rewards might be lost due to the error that _updateRewardIndex() might advance lastBalance without advancing index for a token.

`BalancerOracle::update()` can return stale price

Bringing a position from unsafe to safe by liquidation paritally

`AccountingManager::resetMiddle` will not behave as expected

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

Withdrawals in AccountManager are prone to DOS attacks.

The `TVLHelper.sol#getTVL` function is DOSed by the `under collateralized connector`, and as a result, many parts of the protocol may be DOS.

Attacker can increase the length of `withdrawQueue` by withdrawing 0 amount of tokens frequently

Missing calls to `_updateTokenInRegistry` leads to incorrect state of tokens in registry

User can get their Kerosene stuck because of an invalid check on withdraw

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

Attacker Can Frontruns User's Withdrawals To Make Them Reverts Without Costs

`VaultManagerV2.sol::burnDyad` function is missing an `isDNftOwner` modifier, allowing a user to burn another user's minted DYAD

Incorrect deployment / missing contract will break functionality

Using cached price to create a proposal reduce the efficacity of redemptions for asset peg

First Liquidity provider can claim all initial pool rewards

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

Incorrect precision assumed from RdpxPriceOracle creates multiple issues related to value inflation/deflation

Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`

The vault allows "free" swaps from WETH to RDPX

`sync` function in `RdpxV2Core.sol` should be called in multiple scenarios to account for the balance changes that occurs

No slippage protection for bonders

Can not withdraw RDPX if WETH withdrawn is zero

Multiple issues with `retrySettlement()` and `retrieveDeposit()` will cause loss of users' bridging deposits

User underpay for the remote call execution gas on root chain

The user is enforced to overpay for the fallback gas when `retryDeposit`

Claiming accumulated rewards while the contract is underfunded can lead to a loss of rewards

Malicious royalty recipient can steal excess eth from buy orders

DOS of market operations with malicious offers

Missing a check for minimum sell amount at make function

RubiconMarket: buy() may not take any fee for tokens with low decimal precision

Stuck ether when use function `stake` with empty `derivatives`(`derivativeCount` = 0)