`_withdraw` function uses `shortTokenPrice.max` instead of `shortTokenPrice.min` when computing negative PnL adjustment, leading to underestimation of losses and excessive collateral withdrawal

Cross-Chain Signature Replay Attack Due to User-Supplied `domainSeparator` and Missing Deadline Check

Lack of deadline check in forwarded request

LamboFactory can be permanently DoS-ed due to createPair call reversal

Minting zero tokens when underlyingToken is not Ether in cashIn()

Calculation for `directionMask` is incorrect

Since the cost of launching a new pool is minimal, an attacker can maliciously consume VirtualTokens.

`LamboRebalanceOnUniswap::_getTokenInOut` formula used to compute rebalancing amount is wrong for a UniV3 pool

`sellQuote` and `buyQuote` are missing deadline check in `LamboVEthRouter`

Attacker can copy valid message and call `solana-vault::oapp_lz_receive` with arbitrary accounts allowing him to steal tokens from `vault_deposit_wallet`

Wrong type used for `questionId` in proposal EIP-712 typeHash, making it non-compliant with EIP712

Lenders can escape the blacklisting of their accounts because they can move their MarketTokens to different accounts and gain the WithdrawOnly Role on any account they want

Blocked accounts keep earning interest contrary to the WhitePaper

AccessControlHooks onQueueWithdrawal() does not check if market is hooked which could lead to unexpected errors such as temporary DoS

Role providers cannot be EOAs as stated in the documentation.

Inconsistency across multiple repaying functions causing lender to pay extra fees.

`FixedTermLoanHooks` allow Borrower to update Annual Interest before end of the "Fixed Term Period"

`Flashlender.sol#flashLoan()` should use `mintProfit()` to mint fees. The current implemetation may lead to locked up WETH in PoolV3.

Because of the Asset:Share 1:1 Conversion, if Vault Incur a Loss, the Last User to Withdraw Will Take The Entire Loss

DOS attack to SwapAction.transferAndSwap() when using an ERC20 permit transferFrom.

Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

Market Disruption and Financial Loss Post-Liquidation

`LiquidationBranch::checkLiquidatableAccounts()` executes `for` loop with wrong values, causing array out of bounds to be recovered, the program will not work as expected

Insufficient checks to confirm the correct status of the sequencerUptimeFeed

Functions calling `verifyReport` to verify offchain prices from chainlink will fail

Deleting CollateralTypes from the CollateralLiquidationPriority allows traders to be liquidated for free and getting back their full collateral as if they were not liquidated.

Fees are not sent to their respective recipients when dealing with low decimals tokens

Mellow assume 1 stETH == 1 WETH which open-up opportunities for arbitrage

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

Fragmentation fee is not taken if user compensates with newly created position

Users can not to buy/sell minimum credit allowed due to exactAmountIn condition

`DrawManager::finishDraw` can revert when the sum of rewards to distribute is more than available reserve

ClaimPrize hooks gas limit can be violated using a gas bomb, making `claimPrizes` revert

`Claimers` can receive less `feePerClaim` than they should if some prizes are already claimed or if reverts because of a reverting hook

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

Attacker Can Frontruns User's Withdrawals To Make Them Reverts Without Costs

Value of kerosene can be manipulated to force liquidate users

setUnboundedKerosineVault not called during deployment, causing reverts when querying for Kerosene value after adding it as a Kerosene vault

No incentive to liquidate when CR <= 1 as asset received < dyad burned

If a redemption has N disputable shorts, it is possible to dispute N-1 times the redemption to maximize the penalty

Using cached price to create a proposal reduce the efficacity of redemptions for asset peg

oracleCircuitBreaker: Not checking if price information of asset is stale

Chainlink oracle fallback protection is ineffective if cloPrice returns 0

`TwabLib::getTwabBetween` can return innacurate balances if `_startTime` and `_endTime` aren't safely bounded

The winner can steal claimer fees, and force him to pay for the gas

Underflow in `AbstractStakingAM._getRewardBalances` will cause a DoS of all operations during a period of time

User can evade `liquidation` by depositing the minimum of tokens and gain time to not be liquidated

Attacker Can Inflate LP Position Value To Create a Bad Debt Loan

SALT staker can get extra voting power by simply unstaking their xSALT

TWAP oracle is manipulable as the only time-window requirement is `blockTimestamp

The userGaugeProfitIndex is not set correctly, allowing an attacker to receive rewards without waiting

Users staking via the `SurplusGuildMinter` can be immediately slashed when staking into a gauge that had previously incurred a loss

Anyone can prolong the time for the rewards to get distributed

Malicious borrower can decrease Guild holders reward

Lenders can escape the blacklisting of their accounts because they can move their MarketTokens to different accounts and gain the WithdrawOnly Role on any account they want

Blocked accounts keep earning interest contrary to the WhitePaper

AccessControlHooks onQueueWithdrawal() does not check if market is hooked which could lead to unexpected errors such as temporary DoS

Role providers cannot be EOAs as stated in the documentation.

Inconsistency across multiple repaying functions causing lender to pay extra fees.

`FixedTermLoanHooks` allow Borrower to update Annual Interest before end of the "Fixed Term Period"

Owner of a bad ShortRecord can front-run flagShort calls AND liquidateSecondary and prevent liquidation

Possible DOS on deposit(), withdraw() and unstake() for BridgeReth, leading to user loss of funds

BridgeRouterFacet::withdraw() and unstake() can revert when amount * TVL > uint88 because of PRBMathHelper::mulU88

`TwabLib::getTwabBetween` can return innacurate balances if `_startTime` and `_endTime` aren't safely bounded

The winner can steal claimer fees, and force him to pay for the gas