PM borrow liabilities are omitted from backing, allowing phantom surplus settlement

BuilderWallet `init()` is unprotected/re-initializable, enabling takeover and theft of builder fees

Division-by-zero in long-leg collateral requirement can block solvency checks and `dispatchFrom` (liquidation/force-exercise) for tickSpacing==1 pools

Missing access control in `WERC7575Vault` allows unauthorized withdrawals

Unable to upload guardian shares on social backup

Replayable recovery requests allow attacker to permanently block account recovery

Guardian share replay overwrite causes persistent recovery DoS (missing session binding)

Global Variable Manipulation During Active Draw Alters End Result

`set_invocation_costs_config()` fails to authorize admin allowing anyone to set invocation costs

`twap()` under-charges for multi-period queries due to hardcoded `periods=1`

Systematic Overcharge in prices and x_prices: Fee Charged for Requested Records While Return is Capped at 20

Expiration vector length mismatch causes panic in extend_ttl() when assets are added with zero initial expiration period

CLFactory ignores dynamic fees above 10% and silently falls back to default

CL gauge accepts unverified pools, allowing malicious pool to brick distribution

PLONK/Groth16 verifiers accept proofs with untrusted recursion vk root

CREATE2 address of the uniswap pair used by `LaunchPad` does not match address of pair deployed by `GTELaunchpadV2PairFactory`

`LaunchToken` transfers cause staking rewards to be lost to the `LaunchPad`

Launchpad slippage is not enforced properly during token graduation