Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

ZENO Token Redemption Returns Negligible USDC Amount Compared to Purchase Price

Incorrect decimal handling in `Auction::buy()` leads to massive overpayment for ZENO tokens

RAACNFT mint function receives funds to address(this) but has no way of withdrawing them

Multiple issues from unnecessary balance increase calculation in DebtToken.mint

RToken's transfer function lead to loss of funds due to incorrect math

Users can borrow more assets than they have deposited as collateral

Critical Economic Design Flaw in ZENO Zero-Coupon Bond Implementation Leads to Guaranteed User Losses

Scaled Allowance Mismatch Enables Over-Approval Exploit

Incorrect DebtToken totalSupply Scaling Breaks Interest Rate Calculations

Incorrect Return Values and Double Scaling in `RToken.burn` Function Leads to Denial of Service

RToken.transferFrom() Does Not Scale User Balances Due to Stale Liquidity Index

LendingPool::getNormalizedIncome() returns stale liquidity index

Liquidation Cannot Be Closed Even With Healthy Position Due To Strict Debt Check

`RToken::calculateDustAmount` are incorrectly calculated, leading to not be able to transfer the accrued dust amount

Concurrent Oracle Fulfillments Overwrite House IDs, which leads to Incorrect Pricing

Liquidations are enabled when repayments are disabled, causing borrowers to lose funds without a chance to repay

Due to not counting the assets stake on crvVault the reported amount of dust will not be correct

getNormalizedDebt will return a wrong Amount when Timedelta is 0.

Impossible to rescue funds from `RToken` contract

Incorrect Timestamp Tracking in RAACHousePrice contract

Incorrect Comparison Between Scaled and Unscaled Amounts in _repay

If the Rtoken Contract is minted with 0 amount, an invalid value is returned.

Missing Burn Functionality in RAACNFT

Cross-Chain Signature Replay Attack Due to User-Supplied `domainSeparator` and Missing Deadline Check

Lack of deadline check in forwarded request

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

The Aave pool is hardcoded

Critical: Malicious user can delete all Users Deposited Liquidity.

Fee Evasion via LP Token Transfer Resets Deposit Value

Incorrect Handling Of Nft Self-Transfer In afterupdate Hook Allows The Owner To Grief A Buyer By Rendering The Nft Unable To Redeem Its Associated Liquidity, Resulting In A Loss Of Funds

Transferring deposit NFT doesn't check if the receiver exceeds the 100 deposit limit

not adding `claimable` balance to the total assets in `_harvestAndReport` can cause losses.

Missing Router Update Mechanism in StrategyMainnet Contract

Inconsistent Shutdown Enforcement Allows Asset Deployment Post-Shutdown

Strategy can miss capturing funds from positive slippage due to no deadline check on swaps

Minting zero tokens when underlyingToken is not Ether in cashIn()

`sellQuote` and `buyQuote` are missing deadline check in `LamboVEthRouter`