Nobody can cast for any proposal

setValidatorAddress may never be successfully executed in some cases

LiquidationModule.liquidate updates global position data with stale price

The updatePythPrice modifier should add an empty array check

The owner of any position can close the position with the minimum tradeFee regardless of the additionalSize of the position

LimitOrder.cancelLimitOrder can be used to unlock position with LeverageClose order

LeverageModule.executeOpen doesn't apply Check-Effect-Interaction pattern

Malicious users can obtain large amounts of FMP at a small cost

In LeverageModule.executeOpen/executeAdjust, vault.checkSkewMax should be called after updating the global position data

If the oracle from Pyth is down, OracleModule._getPrice will always revert

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

round.deposits may have duplicate currentEntryIndex

VestingInfo.period causes the logic of the two functions to be inconsistent

When asset.useMovingAverage is true, _getCurrentPrice may get stale price in some cases

When calling LeverageMacroBase.doOperation to open a CDP, the POST CALL CHECK may use the wrong cdpId

Lenders can escape the blacklisting of their accounts because they can move their MarketTokens to different accounts and gain the WithdrawOnly Role on any account they want

Borrower can drain all funds of a sanctioned lender

All tokens can be stolen from `VirtualAccount` due to missing access modifier

Incorrect flag results to _hasFallbackToggled always set to false on createMultipleSettlement.

If RootBridgeAgent.lzReceiveNonBlocking reverts internally, the native token sent by relayer to RootBridgeAgent is left in RootBridgeAgent

BaseBranchRouter._transferAndApproveToken may revert in some cases

When using BaseBranchRouter as a router on the 'Arbitrum' branch, we are unable to invoke the 'callOutAndBridge' function.

In DonationVotingMerkleDistributionBaseStrategy._registerRecipient, the status returned by _getUintRecipientStatus(recipientId) is always the status of the first recipient

allocator.voiceCredits is never accumulated throughout the QVSimpleStrategy._allocate flow

Funds may be stuck in QVSimpleStrategy in some cases

Allocator can significantly increase the number of votes of a certain recipient by calling Allo.allocate/batchAllocate multiple times

The protocol cannot use transfer-on-fee token as pool.token

RFPSimpleStrategy._distribute will revert in most cases

If RFPSimpleStrategy wants to use the registry anchor, _registerRecipient will always revert

onlyCentrifugeChainOrigin() can't require msg.sender equal axelarGateway

PartyBFacetImpl.chargeFundingRate should check whether quoteIds is empty array to prevent partyANonces from being increased, causing some operations of partyA to fail

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

The peg stability module can be compromised by forcing lowerDepeg to revert.

Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`

ConvexSpell/CurveSpell.openPositionFarm will revert in some cases

IBalancerVault.exitPool lacks slippage protection in AuraSpell.closePositionFarm

AuraSpell.openPositionFarm will revert in some cases

All rewardTokens may be stuck in BalancerAuraDestinationVault/CurveConvexDestinationVault

LiquidationRow._performLiquidation should delegatecall IAsyncSwapper.swap

LMPVaultRouterBase.mint/deposit will make the user's weth be stolen in some cases

IncentivePricingStats.updatePricingInfo updates fast/slow filters with the wrong average price

LMPVault._withdraw may cause some idleIncrease to be ignored, causing _baseAsset to get stuck in LMPVault

ConvexRewardsAdapter._claimRewards will revert in some cases

When DestinationVault is at loss, LMPVault._withdraw may revert in some cases due to underflow

ERC777 and similar token implementations allow stealing of funds when transferring tokens

`expressReceiveToken` can be abused using reentry

Proposal requiring native coin transfers cannot be executed

`TokenManager`'s flow limit logic is broken for `ERC777` tokens

In specific case, PartyB that should not be liquidated is liquidated due to wrong allocation in AccountFacet.depositAndAllocateForPartyB

Malicious PartyA/PartyB can prevent themselves from being liquidated

LiquidationFacetImpl.liquidatePartyB should call returnTradingFee to return the trading fee to PartyA when processing the quote whose status is LOCKED/CANCEL_PENDING

When symbol manager modifies the tradingFee of a certain symbol via ControlFacet.setSymbolTradingFee, the value returned by LibQuote.returnTradingFee is not the original fee

PartyBFacetImpl.lockQuote doesn't actually increment partyBNonces[partyB][partyA] by 1

Quote that have already been liquidated can be liquidated again in some cases

PartyA can front-run PartyBFacetImpl.emergencyClosePosition to prevent PartyB from closing position

l1Eco.notifyGenerationIncrease and L1ECOBridge.rebase should be called in the same tx

StableOracleDAI/StableOracleWBGL.getPriceUSD will never succeed due to wrong DAIEthOracle/staticOracleUniV3

StableOracleDAI.getPriceUSD incorrectly uses the price returned by priceFeedDAIETH.latestRoundData()

USSDRebalancer.SellUSSDBuyCollateral will revert in certain case

USSD.UniV3SwapInput executes uniRouter.exactInput without slippage protection

Attacker can manipulate the return value of USSDRebalancer.getOwnValuation for profit

USSD.mintRebalancer/burnRebalancer lacks onlyBalancer modifier

Malicious user transfers USSD or DAI to uniPool to affect the return value of USSDRebalancer.getSupplyProportion

StableOracleDAI/StableOracleWETH/StableOracleWBTC.getPriceUSD possible use stale price

Attacker can steal all erc20 in MarginTrading

Anyone can take away the reward tokens left by users when updating position via ConvexSpell#openPositionFarm

BalancerPairOracle#getPrice will revert due to division by zero in some cases

Delegation rewards are not counted toward granting fund

PositionManager's moveLiquidity can set wrong deposit time and permanently freeze LP funds moved

StandardFunding.fundingVote should not allow users who didn't vote in screening stage to vote

spell#closePositionFarm executes swapExactTokensForTokens without slippage protection

Liquidation will fail in certain scenario

CurveSpell#openPositionFarm will always revert

AuraSpell#openPositionFarm will not succeed for new users

Subaccount#execute lacks payable

If the contract that calls SwapperImpl.flash uses verifyCallback in the SwapperCallbackValidation library to verify msg.sender, it will cause a heavy funds loss

Unintentionally register a non-relevant DSN name owner

Incorrect implementation of RecordParser.readKeyValue()

CollateralManager.commitCollateral can not only block lender to accept any loan bids, but also make all collaterals of all loans stuck in the contract forever

updateCommitmentBorrowers does not delete all existing users

If the collateral is a fee-on-transfer token, repayment will be blocked

CHALLENGER_REWARD can be used to drain reserves and free mint

Challenges can be frontrun with de-leveraging to cause lossses for challengers

POSITION LIMIT COULD BE FULLY REDUCED TO ZERO BY CLONES

function `restructureCapTable()` in Equity.sol not functioning as expected

PrivatePool owner can steal all ERC20 and NFT from user via arbitrary execution

RubiconMarket batchOffer and batchRequote make offers as self; complete loss of funds for some types of tokens, for example WETH

Reward accounting is incorrect in BathBuddy contract

An attacker can steal all tokens of users that use `FeeWrapper`

Fee inclusivity calculations are inaccurate in RubiconMarket

Both buyAllAmountWithLeverage and sellAllAmountWithLeverage always revert

relayer can never successfully execute mintDepositInQueue and mintRollovers due to ERC1155's _doSafeTransferAcceptanceCheck

Due to rolloverQueue.pop(), mintRollovers may skip some users' QueueItem

If users won epoch he is rolling over, mintRollovers will cause these users  to lose funds

triggerDepeg and triggerEndEpoch will revert when the treasury of ControllerPeggedAssetV2 is different from the treasury of the new VaultV2

Malicious user can make rolloverQueue never get processed

ChangeTreasury does not correctly set the new treasury address and does not remove the old treasury address from whitelist

Underflow of `lpPosition.points` during withdrawLP causes huge reward minting

The currentMinted of vault will not decrease when the user repays TAU

Attacker uses flashloan for arbitrage resulting in user interest loss

Attacker can prevent the system from entering step 5 during the rebalancing period

User fund loss when rebalancingPeriod is not initialized

Game users may lose this round of rewards if they call rebalanceBasket before the end of step 8

At step 5 attacker can prevent xChainController from sending funds to vaults

Issue: user can still get same rewards after withdraw

Issue : User's rewards will be locked for a period of time