Unauthorized Reallocation in `NudgeCampaign::handleReallocation` and Reward Disruption Vulnerability in `NudgeCampaign::invalidateParticipations`

Lack of slippage check on `ReputationMarket::sellVotes` will cause vote sellers to sell at a worse price than intended

`OUSGInstantManager` will allow Excessive OUSG Token Minting During USDC Depeg Event

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

Player can mint more fighter NFTs during claim of rewards by leveraging reentrancy on the `claimRewards() function `

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

FighterFarm:: reroll won't work for nft id greator than 255 due to input limited to uint8

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

Can mint NFT with the desired attributes by reverting transaction

Fighter created by mintFromMergingPool can have arbitrary weight and element

Owner cannot withdraw all interest due to wrong calculation of accrued interest in WithdrwaCarry

Users will lose rewards when buying new tokens if they already own some tokens

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Attacker can reenter to mint all the collection supply

Adversary can block `claimAuction()` due to push-strategy to transfer assets to multiple bidders

`MinterContract::payArtist` can result in double the intended payout

Bidder Funds Can Become Unrecoverable Due to 1 second Overlap in `participateToAuction()` and `claimAuction()`

Auction winner can prevent payments via `safeTransferFrom` callback

Incorrect calculations for Surplus Auction creation cause massive surplus imbalances

Unable to retrieve price information with CamelotRelayer contract

Due to extremely short `votingDelay` and `votingPeriod`, governance is practically impossible.

Voters from VotingEscrow can vote infinite times in vote_for_gauge_weights() of GaugeController

User don't have to deposit for a week into the market to get his weekly reward from the `LendingLedger`

If governance removes a gauge, user's voting power for that gauge will be lost.

Initial deploy won't succeed because of too high `initialMintAmount` for USDC market

Proposals which intend to send native tokens to target addresses can't be executed

`fastTrackProposalExecution` doesn't check `intendedRecipient`

`TemporalGovernor` can be bricked by `guardian`

only `guardian` can change `guardian`

malicious `emissionToken` could poison rewards for a market

`excuteProposal` can fail due to Wormhole guardian change

`expressReceiveToken` can be abused using reentry

Multisig can execute the same proposal repeatedly

Deployer wallet retains ability to spoof validated senders after ownership transfer

Gas fees are refunded to a wrong address when transferring tokens via `InterchainToken.interchainTransferFrom`

Proposal requiring native coin transfers cannot be executed

`TokenManager`'s flow limit logic is broken for `ERC777` tokens

repeated rebalances lets an operator steal funds

changing `managerFeeBPS` can cause unfair shares in pool

Wrong address used for uniswap static oracle

uniswap trades are done without slippage

`USSD::mintRebalancer` and `USSD::burnRebalancer` and callable by anyone

protocol uses uniswap spot price when rebalancing

rebalancing calculates wrong sell amount and can revert

`StableOracleDAI` uses wrong decimals for chainlink feed

no oracle staleness validation

removing collateral will lock tokens in contract

unborrowed JUSD are stuck in `JUSDBank`

`SubAccount::execute` lacks `payable`

`CollateralManager::commitCollateral` has no access control

`LenderCommitmentForwarder::updateCommitment` allows lender to be changed

defaulting doesn't change the state of the loan

market owner and protocol can game borrowers

market owner can front run bids and lower default duration

bids can be created against markets that doesn't exist

due date and defaulting doesn't align

last repayments are calculated incorrectly for "irregular" loan durations

Wrong calculation of repayment amount in Position contract

Position doesn't distribute rewards to users

Some positions will get liquidated immediately

Reward accounting is incorrect in BathBuddy contract

DOS of market operations with malicious offers

Low level calls to accounts with no code will succeed in `FeeWrapper`

Incorrect fee handling in Position.sol's Market Buy/Sell functions

A liquidated position possibly cannot be closed

Incorrect calculations can occur when calling `Position._marketBuy` and `Position._marketSell` functions that do not include maker fee in `_fee`

Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations

winnings for an epoch is lost when rolling over

changing an existing rollover updates the `ownerToRollOverQueueIndex` wrong

`depositFee` can be bypassed

executed rollovers can be delisted which trades places with last unexecuted one

malicious contract can DoS queues

gas costs for minting rollovers is inflated by lost positions

emissions for null epochs are lost

`Vault::claimTokens` uniswap swaps can be abused

vault stakers and game players share the same reward pool

multiple withdrawalRequest before the first rebalance will burn LPTokens but only give underlying for the last request

`XChainController::sendFundsToVault` can be griefed and leave `XChainController` in a bad state

calling `pushTotalUnderlyingToController` on an inactive vault will break rebalance

`Vault::pullFunds` doesn't pull funds from underlying providers correctly

allocations to a blacklisted protocol will stop rebalancing

blacklisted protocol still accrues rewards

`Swap::swapStableCoins` assumes 1:1 price

Trading within threshold can siphon out minted ohm

`ohmRemoved` is calculated incorrectly

a protection seller can deposit and withdraw in the same cycle

a secondary market for sTokens is dangerous with how withdrawals work

a buyer of protection can overprotect their position

non claimed `unlockedFunds` are stuck in `ProtectionPool`

secondary markets are problematic with how `lockCapital` works

First vault depositor can steal other's assets

Staking rewards can be drained

The calculation of ````takeFees```` in ````Vault```` contract is incorrect

Anyone can reset fees to 0 value when Vault is deployed

`Vault::takeFees` can be front run to minimize `accruedPerformanceFee`

`quitPeriod` is effectively always just `1 day`

KYCRegistry is susceptible to signature replay attack.

attacker can prevent vesting for a very long time

`FeeRefund.tokenGasPriceFactor` is not included in signed transaction data allowing the submitter to steal funds

Arbitrary transactions possible due to insufficient signature validation

methods used by EntryPoint has `onlyOwner` modifier

[Medium-3] Non-compliance with EIP-4337

Hijacking of node operators minipool causes loss of staked funds

node operator is getting slashed for full duration even though rewards are distributed based on a 14 day cycle

any duration can be passed by node operator

slashing fails when node operator doesn't have enough staked `GGP`

MultisigManager may not be able to add a valid Multisig

State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool

NodeOp funds may be trapped by a invalid state transition

Admin does not have to wait to call `lastResortTimelockOwnerClaimNFT()`

First depositor can break minting of shares

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

`saleReceiver` and `feeReceiver` can steal refunds after sale has ended

ETH will get stuck if all NFTs do not get sold.

Anyone can call AutoPxGmx.compound and perform sandwich attacks with control parameters

Giant pools can be drained due to weak vault authenticity check

Old stakers can steal deposits of new stakers in `StakingFundsVault`

Incorrect implementation of the ETHPoolLPFactory.sol#rotateLPTokens let user stakes ETH more than maxStakingAmountPerValidator in StakingFundsVault, and DOS the stake function in LiquidStakingManager

Borrower/Lender excessive ETH not refunded and permanently locked in protocol

`repay` function can be DOSed

`Market::forceReplenish` can be DoSed

Two day low oracle used in `Market.liquidate()` makes the system highly at risk in an oracle attack

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

`Token:mint`: infinite loop if the founders' shares sum up to 100

low market bonds/swaps not working after loan is taken from treasury