Incorrect withdraw queue balance in TVL calculation

DOS of `completeQueuedWithdrawal` when ERC20 buffer is filled

Hijacking of node operators minipool causes loss of staked funds

Division by zero error can block RewardsPool#startRewardCycle if all multisig wallet are disabled.

selfdestruct may cause the funds to be lost

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

`saleReceiver` and `feeReceiver` can steal refunds after sale has ended

Use of `payable.transfer()` Might Render ETH Impossible to Withdraw

Loss of vested amounts

Supply cap of VariableSupplyERC20Token is not properly enforced

Can Recover Gobblers Burnt In Legendary Mint

Incorrect handling of pricefeed.decimals()

Griefing attack on the Vaults is possible, withdrawing the winning side stakes

A proposal can be cancelled by anyone if the proposal has exactly proposalThreshold votes

Highest bid in first auction can get irretreivably stuck in the protocol

A proposal can pass with 0 votes in favor at early DAO stages

Auction parameters can be changed during ongoing auction

Consistently check account balance before and after transfers for Fee-On-Transfer discrepancies

Malicious user can populate `rewards` array with tokens of their interest reaching limits of `MAX_REWARD_TOKENS`

BathToken LPs Unable To Receive Bonus Token Due To Lack Of Wallet Setter Method

Strategists can take more rewards than they should using the function strategistBootyClaim().

Missing checks allow strategists to steal all fund via `tailOff`

Admin rug vectors

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

RubiconMarketAddress in BathPair can't be updated

BathBuddy locks up Ether it receives

Decimal token underflow could produce loose of funds

`_decimalMultiplier` doesn't account for tokens with decimals higher than 18

`call()` should be used instead of `transfer()` on an `address payable`

Liquidations can be run on the bogus Oracle prices

Manipulations of setFee

fees can be any amount

[WP-H0] `DEFAULT_ADMIN_ROLE` of `BribeVault` can steal tokens from users' wallets

`NestedFactory` does not track operators properly

Owner can steal input tokens

[WP-H3] `saleRecipient` can rug buyers

Shelter `claimed` mapping is set with `_to` address and not `msg.sender`

[WP-H2] `ConvexStakingWrapper#deposit()` depositors may lose their funds when the `_amount` is huge

Deposits after the grace period should not be allowed

StakingRewards.recoverERC20 allows owner to rug the `rewardsToken`

[ConcurRewardPool] Possible reentrancy when claiming rewards

Access restrictions on `NotionalV1ToNotionalV2.notionalCallback` can be bypassed

`sNOTE.sol#_mintFromAssets()` Lack of slippage control

Usage of deprecated ChainLink API in `EIP1271Wallet`

Lack of access control on `assertGovernanceApproved` can cause funds to be locked

updateYieldStrategy will freeze some funds with the old Strategy if yieldStrategy fails to withdraw all the funds because of liquidity issues

Index compensate is 0 when totalLiquidity() is enough to cover the whole amount

Vaults with non-UST underlying asset vulnerable to flash loan attack on curve pool

Check _to is not empty

Missing access restriction on `lockUnits/unlockUnits`

convert collects funds even when minting is disabled

Unrestricted vestFor

Unused slippage params

Incorrect operator used in deploySynth() of Pools.sol

Completed proposals can be voted on and executed again

Handle transfers of different ERC20 tokens

Copy-paste bug leading to incorrect harvest rewards in Vault.sol

Unbounded loop in TwapOracle.update can result in oracle being locked

VaderPoolV2.mintFungible exposes users to unlimited slippage

An attacker can cause an overflow in the flashLoan function

Missing nonReentrant in swapTo

A vault can be locked from MarketplaceZap and StakingZap

function receiveNFTs does not check if amount > 0

Randomization of NFTs returned in redeem/swap operations can be brute-forced

mintRequests can remain 0 when the token is erc721

Return variable can remain unassigned in _sendForReceiver

Function `joinTokenSingle` in `SingleTokenJoin.sol` and `SingleTokenJoinV2.sol` can be made to fail

Malicious tickets can lead to the loss of all tokens

Backdated _startTimestamp can lead to loss of funds

recoverTokens doesn't work when isSale is true

Tokens can be stolen when `depositToken == rewardToken`

Frontrunning in UniswapHandler calls to UniswapV2Router

Support of different ERC20 tokens

OZ ERC1155Supply vulnerability

Timelock and events for governor functions

Cached version of ovl may be outdated

Improper Upper Bound Definition on the Fee

`NestedFactory` does not track operators properly

Missing access restriction on `lockUnits/unlockUnits`

convert collects funds even when minting is disabled

Unrestricted vestFor

Unused slippage params

Incorrect operator used in deploySynth() of Pools.sol

Completed proposals can be voted on and executed again

Handle transfers of different ERC20 tokens

Copy-paste bug leading to incorrect harvest rewards in Vault.sol

Unbounded loop in TwapOracle.update can result in oracle being locked

VaderPoolV2.mintFungible exposes users to unlimited slippage

Unable to claim vesting due to unbounded timelock loop

Claim airdrop repeatedly

Overwrite benRevocable

NFT flashloans can bypass sale constraints

Unchecked transfers

No Transfer Ownership Pattern

`ReferralFeePoolV0.sol#claimRewardAsMochi()` Array out of bound exception

Swap.sol implements potentially dangerous transfer

Incorrect data location specifier can be abused to cause DoS and fund loss

`Basket.sol#mint()` Malfunction due to extra `nonReentrant` modifier

Validations

createBasket re-entrancy

Malicious owner can drain the market at any time using SafetyWithdraw

No check transferFrom() return value

`ConcentratedLiquidityPoolManager`'s incentives can be stolen

Burning does not update reserves

Wrong usage of `positionId` in `ConcentratedLiquidityPoolManager`

Incentive should check that it hasn't started yet

`TridentNFT.permit` should always check `recoveredAddress != 0`

Unsafe handling of underlying tokens

Previously created markets can be overwritten

_wethWithdrawTo is vulnerable re-entrancy

Incorrect data location specifier can be abused to cause DoS and fund loss

`Basket.sol#mint()` Malfunction due to extra `nonReentrant` modifier

Validations

createBasket re-entrancy

Unsafe cast in IndexPool mint leads to attack

No bar fees for IndexPools?

Access restrictions on `NotionalV1ToNotionalV2.notionalCallback` can be bypassed

`sNOTE.sol#_mintFromAssets()` Lack of slippage control

Usage of deprecated ChainLink API in `EIP1271Wallet`

Sum of validator powers should always be no less than the threshold

latestMarket used where marketIndex should have been used

`redeemToken` can fail for certain tokens

Use of safeApprove will always cause approveMax to revert

updateYieldStrategy will freeze some funds with the old Strategy if yieldStrategy fails to withdraw all the funds because of liquidity issues

activeTransactionBlocks are vulnerable to DDoS attacks

Approval is not reset if the call to IFulfillHelper fails

Router liquidity on receiving chain can be double-dipped by the user

Anyone can arbitrarily add router liquidity

_wethWithdrawTo is vulnerable re-entrancy

Incorrect use of operator leads to arbitrary minting of GVT tokens

Safe addresses can only be added but not removed

Malicious owner can drain the market at any time using SafetyWithdraw

No check transferFrom() return value

safeApprove() for Yearn Vault may revert preventing deposits causing DoS

Unchecked ERC20 transfers can cause lock up

anyone can call function sponsor

Missing balancedBooks modifier could result in failed system insolvency detection

minRentalDayDivisor can be different between markets and treasury

RCFactory.createMarket() does not enforce _timestamps[1] and _timestamps[2] being larger than _timestamps[0], even though proper functioning requires them to be so

`Withdrawable.withdraw` does not decrease `pendingWithdrawals`

Incorrect use of _addTribute instead of _addGovernanceTribute

Should check return data from Chainlink aggregators

Unbounded loop in `_removeNft` could lead to a griefing/DOS attack

Approval for NFT transfers is not removed after transfer

An attacker can cause an overflow in the flashLoan function

Missing nonReentrant in swapTo

A vault can be locked from MarketplaceZap and StakingZap

function receiveNFTs does not check if amount > 0

Randomization of NFTs returned in redeem/swap operations can be brute-forced

mintRequests can remain 0 when the token is erc721

Return variable can remain unassigned in _sendForReceiver

function tokenByIndex treats last index as invalid

uint(-1) index for not found

Missing access restriction on `lockUnits/unlockUnits`

convert collects funds even when minting is disabled

Unrestricted vestFor

Unused slippage params

Incorrect operator used in deploySynth() of Pools.sol

Completed proposals can be voted on and executed again

Handle transfers of different ERC20 tokens

Copy-paste bug leading to incorrect harvest rewards in Vault.sol

Unbounded loop in TwapOracle.update can result in oracle being locked

VaderPoolV2.mintFungible exposes users to unlimited slippage