BaseAdapter::__BaseAdapter_init Should Use onlyInitializing, Not initializer

SettlementSignatureVerifier is missing check for duplicate validator signatures

`PhiFactory:claim` Potentially Causing Loss of Funds If `mintFee` Changed Beforehand

AuraVault inherits AccessControl BUT does not call the _setupRole() function in it's constructor to set the initial roles, this leads to a complete DOS of the important claim function rendering the contract unable to claim rewards

WhenNotPaused modifier in the CDPVault can be bypassed by users

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

INFLATION_PROTECTION_TIME can not be up to a year as intended because it is hardcoded to `1749120350`

incorrect price for negative ticks due to lack of rounding down

Vaults can become immune from liquidation by setting `vault.recipient` to a blacklisted quote token address

Chainlink's `latestRoundData` might return stale or incorrect results

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

Attacker can increase the length of `withdrawQueue` by withdrawing 0 amount of tokens frequently

`CurveConnector` will be non-functional on Arbitrum & Polygon due to the improper integration with Convex Boosters on these chains

Using the same heartbeat for multiple price feeds

Use custom gas in `sendMintMessage` instead of default gas

Do not hardcode `_zroPaymentAddress` field to `address(0)`

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

formPOL lacks slippage and deadline protection

Unauthorized Access to setCurves Function

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

`costInEuros` calculation will incur precision loss due to division before multiplication

Lack of storage gap in SDLPool.sol can lead to upgrade storage slot collision.

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Auction payout goes to AuctionDemo contract owner, not the token owner

Soft Restricted Staker Role can withdraw stUSDe for USDe

Due to extremely short `votingDelay` and `votingPeriod`, governance is practically impossible.

Use of UniswapV3 slot0() function to get sqrtPriceLimitX96 can lead to price manipulation.

Return value of low level `call` not checked.

Proposals which intend to send native tokens to target addresses can't be executed

TOFT and USDO Modules Can Be Selfdestructed

Refund mechanism for failed cross-chain transactions does not work

Potential loss of value in YieldBox's `depositETHAsset()`

EUSD.mint function wrong assumption of cases when calculated sharesAmount = 0

latestRoundData has no check for Round completeness.

Risk of silent overflow in reserves update

Calling `ExpiringMarket.stop` and `ExpiringMarket.isClosed` functions cannot pause any functionlities of the market

Chainlink price feed is not sufficiently validated and can return stale price