First-Hook Reward Capture Starves Other Pools

Reward Accrual Wipe via Premature Index Reset in stake/unstake

Pre-Campaign Epochs Cause Cashback Overpayment

Idle-Time Emissions Misallocated to First Post-Zero Staker

Reward Misallocation from Unsettled Mint Rate Change

Zero amount first mint sets LP>0 with 0–0 reserves, causing division-by-zero deposit DoS

Unbounded pendingRemovals sweep in finalize triggers per-epoch settlement DoS (gas exhaustion)

Pool-vs-token lastUpdated mismatch over-credits rewards

Zero-Liquidity Burns Incentive Budget

Inclusive high index to OOB right key; wrong-range settlement & fee mis-accounting

chargeTrueFeeRate width-scaling mismatch undercharges takers & underpays makers

Missing subtreeBorrowedX/Y Propagation Undercharges Taker Fees and Underpays Makers

Unintended JIT principal penalty via burnAsset mis-sequencing

`ViewWalker.down` misassigns X-fee propagation for the right child

MakerFacet.adjustMaker pays removed liquidity to msg.sender instead of the provided recipient

PoolFacet Mint Callback Zero-Transfer Revert DoS

Shift-Overflow in getEquivalentLiq Inflates LP Shares

Unauthorized Migration via Caller-Supplied ControlTower Parameter

VsTAN.processRewards allows starting a new reward epoch while totalSupplyVsTan == 0

FULL-restricted addresses can bypass staking restrictions via `sNUSD.mint()` and `sNUSD.deposit()`

Missing claimed update in claim() enables unlimited re-claims (full drain)

Factory.set_gauge_controller asserts on the input parameter being zero instead of the contract state being unset

EverclearBridge fails to pull tokens, locking funds in Rebalancer

logic in the ShareManager.updateChecks() function completely inverts the transfer whitelist enforcement

DepositQueue Index Misuse Enables Vault-Wide DoS via Negative Fenwick Prefix

Unrestricted Operator Registration Leading to Gas-Based Denial of Service in VotingPowerProviderLogic.registerOperator()

Whitelist Bypass in OperatorsWhitelist.sol Enables Unvetted Operators to Gain Voting Power