Reentrancy in `USDO.flashLoan()`, enabling an attacker to borrow unlimited USDO exceeding the max borrow limit

`ARBTriCryptoOracle` is vulnerable to read-only reentrancy

all deposit and withdraw function in Convex and Curve nativeLP Strategy, apply slippage on internal pricing; which call real-time on chain price from Curve directly and subject to MEV

while creating deposit, fee can be deducted in wrong manner if initialToken is not final token

faulty abi decoding from revert in catch block can lead to attacker controlled execution

potentially using old price from pricefeed in oracle due to unchecked timestamp difference

unsatisfiable condition in `getAdjustedLongAndShortTokenAmounts`

Oracle data feed is insufficiently validated.

Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom

ERC20 return values not checked

tokenBalanceOfAddress of nftOwner becomes permanently incorrect after arbRestake

Tokens can be stolen when `depositToken == rewardToken`

DOS while dealing with erc20 when value(i.e amount*decimals) is high but less than type(uint112).max

Improper implementation of `arbitraryCall()` allows protocol gov to steal funds from users' wallets

FeeSplitter: No sanity check to prevent shareholder from being added twice.

Unrestricted vestFor

WrappedIbbtcEth contract will use stalled price for mint/burn if updatePricePerShare wasn't run properly

Null check in pricePerShare

absolute difference is not calculated properly when a > b in MathUtils

Incorrect balance computed in `getUsersConfirmedButNotSettledSynthBalance()`

latestMarket used where marketIndex should have been used