Pending bucket rewards can be reset to 0 via stake/unstake every block (lastRewardIndex reset without checkpoint)

Cashback rewards can be claimed retroactively before program deployment leading to a loss of yield/funds

Inflated emissions can be captured by staker after idle periods

Retroactive mint rate increase mints past emissions at new rate

Loss of yield trough severely reduced USDC cashback payouts on BNB

Geometric pool swap costs can be evaded through repeated small transactions leading to a loss of yield for LP's

Geometric exact amount out floors input via into_int(), allowing an attacker to completely drain any geometric pool

DOS in XYK pool liquidity provision trough one sided initial deposit

Any change in bucket size will DOS order cancellation leading to frozen user funds and halts the entire auction

Integer overflow in XYK invariant computation causes denial of service for high-decimal tokens

Unsafe ERC20 leftover forwarding to mutable fee treasury

Zero-supply windfall condition in RewardAccumulator

DOS in DineroWithdrawRequestManager can block withdrawals

Different Token Decimals on different chains are not accounted for when borrowing or repaying across chains, leading to a loss of funds for the protocol and users

Incorrect if clause in LendStorage::borrowWithInterest leads to cross chain borrows not being added to the borrowed amount which breaks the liquidation and LEND distribution system