Reward tokens can't be added again once they are removed because there is no way to reset the user's previous debt/cache state.

Users wouldn't claim their unclaimed rewards once the reward token is removed.

`SingleSidedLiquidityVault.deposit()` and `SingleSidedLiquidityVault.withdraw()` will revert if `rewardToken.lastRewardTime > block.timestamp`.

Lenders can default the loan by reverting the `repay()` function.

Borrowers can abuse lenders and steal debt tokens.

`Cooler.roll()` wouldn't work as expected when `newCollateral = 0`.

`Cooler.clear()` should set `rollable = false` when it adds the loans.

`PerpDepository._rebalanceNegativePnlWithSwap()` shouldn't use a `sqrtPriceLimitX96` twice.

`rebalanceLite` should provide a slippage protection

rescueERC20() is not safe for tokens with multiple addresses

Anyone can fabricate the stream history

A malicious user can cancel other's orders using `CrabNetting.checkOrder()`.

Wrong constants for time delay

The protocol shouldn't charge interests when paused

Lyra vault underestimates the collateral value

The virtual price of collateral is less than it should be.

Keepers can modify option exercise result using different asset price

`tokenX.transfer` will not work as intended from some ERC20 tokens.

A malicious user can drain the protocol funds using `reclaimContract()`.

Attacker can trigger permanent lock of funds of normal traders

The NFT might be locked inside the protocol forever after the contract was settled.

Protocol can lose the fee and withdrawal function can become useless.

`Staking.unstake()` doesn't decrease the original voting power that was used in `Staking.stake()`.

`Staking._stakeToken()` calculates `stakedTimeBonus` wrongly.

The total community voting power can be huge because of incorrect conditions.

`Governance.queue()` should update the `CommunityScoreData.proposalsPassed` instead of `CommunityScoreData.proposalsCreated`.

Voters can increase their community voting power without any token voting power using `castVote()`.

`Staking._stakeToken()` and `Staking.evilBonus()` don't calculate a voting power for a monster like a document.

Circuit breaker could cancel the last transaction to prevent an unnecessary loss

`ERC5095.withdraw()` and `ERC5095.redeem()` don't transfer the principal token to the contract when they work before maturity.

`ERC5095.mint()` uses the wrong slippage limit.

Can not change the fee of the Redeemer

Refinance validation is wrong

Potential debt calculation on new loan is wrong

`AuctionHouse.cancelAuction()` doesn't refund the last bidder.

timeToEpochEnd is wrong

Rate is used in wrong units

`AuctionHouse.createBid()` will revert when it should increase the duration.

Inconsistent usage of `firstBidTime` in `AuctionHouse.createAuction()` and `AuctionHouse.createBid()`

ChangeInSlope function is wrong.

Borrower might get loss while repaying.

Users might steal the remaining fees inside the `ExchangeProxy` contract after `cardTopupToken` is changed.

`AssetManager.removeAdapter()` doesn't update `withdrawSeq` after removing an adapter.

`AssetManager.rebalance()` will revert when the balance of `tokenAddress` in the money market is 0.

The `Vault` contract should check more validations to prevent the `first depositor` issue.

`Vault.convertToShares()` and `onTokenTransfer()` check the wrong condition for the first deposit.

`Vault._withdrawFromPlugin()` always reverts when `_amount == 0`.

The admin might add the same plugin using `Vault.addPlugin()` by fault.

In `Auction.sol`, users might fail to withdraw the funds from the processed auction because of the uint underflow.

`AuctionInternal._previewWithdraw()` might return the wrong result after some orders are removed during the withdrawal.

`Auction.getEpochsByBuyer()` might omit some valid epochs.

Chainlink's latestRoundData might return stale or incorrect results.

Funds might be locked inside the `Vault` for the fee-on-transfer tokens.

`TradingUtils._executeTrade()` doesn't check `preTradeBalance` properly.

`Account` contract might be locked when `underlying` = address(0).