It is not possible to execute actions that require ETH (or other protocol token)

No slippage control when minting and redeeming FPS

need alternative ways for fund transfer in `end()` to prevent DoS

function `restructureCapTable()` in Equity.sol not functioning as expected

`changeFeeQuote` will fail for low decimal ERC20 tokens

Reward accounting is incorrect in BathBuddy contract

DOS of market operations with malicious offers

Some offers can't be cancelled

Use of `block.number` leads to incorrect interest calculations

Fee inclusivity calculations are inaccurate in RubiconMarket

Incorrect fee handling in Position.sol's Market Buy/Sell functions

Zero reward rate calculation impedes low-decimals token distributions

Attack on rounding errors to get risk free profit

Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations

Price of sfrxEth derivative is calculated incorrectly

An attacker can DOS `Carousel.mintDepositQueue()`, freezing tokens of all the previous deposits.

`Carousel.enlistRollover` always overwrite the `_receiver` `ownerToRollOverQueueIndex` mapping, breaking the delisting process.

Updating a pool's total points doesn't affect existing stake positions for rewards calculation

Borrowers can get undercollateralized loans if loan and collateral tokens have different decimals

Interest will not accrue properly for low decimal tokens

Incorrect update of `cachedUserRewards` breaks tracking of rewards, leading to users able to claim more than expected

If a reward token is added with distribution starting in the future, the vault is broken until that point.

Wrong update of `ohmRemoved` in `withdraw()` means users can bypass `LIMIT`

Incorrect check in `claimCollateral` leads to the function always reverting

Incorrect adjusted amount calculation in `getAdjustedLongAndShortTokenAmounts()` always reverts

Variable subtracted where it should be assigned leads to `getAdjustedLongAndShortTokenAmounts()` reverting.

Incorrect funding amount due to precision loss in `getNextFundingAmountPerSize()` for markets with low open interest

`refundDeposit` can be DOS

Attackers can DOS claims of `USDC` blacklisted claimers

refund logic is unfair to funders.

Multiple accounts can have the same identity

Any user can drain the entire reward fund in MultiRewardStaking due to incorrect calculation of `supplierDelta`

DOS any Staking contract with Arithmetic Overflow

Accrued perfomance fee calculation takes wrong assumptions for share decimals, leading to loss of shares or hyperinflation

Fee on transfer token not supported

User may loose rewards if the receipt is minted after quest end time

Deadlock in valuts with underlying token with less then 18 decimals

Lack of support for fee-on-transfer token

wrong reward distribution between early and late depositors because of the late syncRewards() call in the cycle, syncReward() logic should be executed in each withdraw or deposits (without reverting)

Manager can get around min reserves check, draining all funds from Collateral.sol

Chainlink price feed is not sufficiently validated and can return stale price

When a smart contract calls CrossChainRelayerArbitrum.processCalls, excess submission fees may be lost

`payer` cannot cancel if the `recipient` is blacklisted by `USDC`

safeTransfer is not implemented correctly

`withdrawAuction()` will always revert if one `withdrawer` is blacklisted by `USDC`

Underlying assets stealing in `AutoPxGmx` and `AutoPxGlp` via share price manipulation

Deposit Feature Of The Vault Will Break If Update To A New Platform

Protocol insolvent - Permanent freeze of funds

Dao admin in LiquidStakingManager.sol can rug the registered node operator by stealing their fund in the smart wallet via arbitrary execution.

Node runners can lose all their stake rewards due to how the DAO commissions can be set to a 100%

Freezing of funds - Hacker can prevent users withdraws in giant pools

Adding non EOA representative

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

Yul `call` return value not checked

call opcode's return value not checked.

Attacker may DOS auctions using invalid bid parameters

Borrower can close a credit without repaying debt

Reentrancy bug allows lender to steal other lenders funds

Mistakenly sent eth could be locked

address.call{value:x}() should be used instead of payable.transfer()

Borrower/Lender excessive ETH not refunded and permanently locked in protocol

`DnGmxSeniorVault` share minting can be broken by early depositor.

Oracle assumes token and feed decimals will be limited to 18 decimals

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

`PublicVault.deposit()` can be broken by early minter

`initialize` does not check `runtimeConfig.royaltiesBps`, which can break the royalty functionality

`_payoutToken[s]()` is not compatible with tokens with missing return value

`_payoutEth()` calculates `balance` with an offset, always leaving dust `ETH` in the contract

Governor can rug pull the escrow

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

Yul `call` return value not checked

deposit() can be broken by early minter

`_latestAnswer64x64()` can return an incorrect result and lead to stale prices being used in `Auction`

Centralization risk: admin have privileges: admin can set address to mint any amount of frxETH, can set any address as validator, and change important state in frxETHMinter and withdraw fund from frcETHMinter

`recoverEther` not updating `currentWithheldETH` breaks calculation of withheld amount for further deposits

not able to create claim

Supply cap of VariableSupplyERC20Token is not properly enforced

Griefing attack on the Vaults is possible, withdrawing the winning side stakes

Quorum votes have no effect for determining whether proposal is defeated or succeeded when token supply is low

Unsafe casting from int128 can cause wrong accounting of locked amounts

NFT of NFT collection or NFT drop collection can be locked when calling _mint or mintCountTo function to mint it to a contract that does not support ERC721 protocol

Malicious Creator can steal from collectors upon minting with a custom NFT contract

`mintFromFixedPriceSale` for a custom contract can lead to users losing funds

Error in allowance logic

`fillOrder()` and `exercise()` may lock Ether sent to the contract, forever

Putty position tokens may be minted to non ERC721 receivers

Protocol fee rate can be arbitrarily modified by the owner and the new rate will apply to all existing orders

No cap on fees can result in a DOS in BathToken.withdraw()

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

Use `call()` instead of `transfer()` when transferring ETH in RubiconRouter

Use safeTransferFrom instead of transferFrom for ERC721 transfers

Owner can modify the feeRate on existing vaults and steal the strike value on exercise

Owner can set the feeRate to be greater than 100% and cause all future calls to `exercise` to revert

safeTransferFrom is recommended instead of transfer (1)

Use of `.send()` May Revert if The Recipient's Fallback Function Consumes More Than 2300 Gas

SuperVault's leverageSwap and emptyVaultOperation can become stuck