User is blocked from providing liquidity in case he has more then half of his tokens unlocked

Attacker can front run VVVVCTokenDistributor's Claim function

Collateral can already be seized even when negRiskMarket is not fully resolved

Lender can deny a repayment by getting themselves on the USDC blacklist

Missing onlyOwner modify on updateExtension

Wrong call order for `setTopPoolIdsWithWeights`, resulting in wrong distribution of rewards

Bribe rewards are lost if a pool receives no votes during an epoch

Unlocked positions can still vote

Bribes can be denied by filling up a farm with fake bribes until `MAX_BRIBES_PER_POOL` limit

Incorrect access control for `_requireOnlyOperatorOrOwnerOf()`. Anyone can call `MlumStaking.addToPosition()` for other users, with various impacts.

Users can artificially create a voting ballot with 2 weeks `lockDuration`, effectively bypassing the 3-month limit

Down Rebasing Tokens will cause bankrun in MlumStaking and MasterChefV2

New staking positions still gets the full reward amount as with old stakings, diluting rewards for old stakers

Max exposure cap can be bypassed on assets using WrappedAerodromeAM.sol

LP can instantly arbitrage and drain any Maker by updating the Pyth price

OracleMaker's price with spread does not take into account the new position

USDT/USDC depeg event will pit both makers at a highly risky position due to arbitrage

No slippage check for deposit/withdraw in either Makers

`CREATE2` address collision against an Account will allow complete draining of lending pools

L2 sequencer down will push an auction's price down, causing unfair liquidation prices, and potentially guaranteeing bad debt

New staking between reward epochs will dilute rewards for existing stakers. Anyone can then front-run `OperationalStaking.rewardValidators()` to steal rewards

Frontrunning validator freeze to withdraw tokens

No cooldown in `recoverUnstaking()`, opens up several possible attacks by abusing this functionality.

`validatorMaxStake` can be bypassed by using `setValidatorAddress()`

No option to change validator address without also transferring unstakings, leads to lost rewards when a validator has taken more than 300 unstakings (even if through normal usage)

Everyone can open or close positions from user

FootiumPrizeDistributor should use SafeERC20 functions

Manipulate Allocations from game using flashloans

rebalanceBasket can be called before settleRewardsInt to maximize rewards

Incorrect Validation in addToTotalRewards() leads to rewards wrongly getting calculated

Permanent frezzing of Atomic bounty with broken ERC20/ERC721