Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

Unauthorized Access to setCurves Function

onBalanceChange causes previously unclaimed rewards to be cleared

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

No slippage protection for Market functions

All tokens can be stolen from `VirtualAccount` due to missing access modifier

Incorrect `blocksPerYear` constant in `WhitepaperInterestRateModel`

[H1] Low data feed frequency from Tellor makes you protocol vulnerable to flash loan attacks

Owner can transfer all ERC20 reward token out using function recoverERC20

Centralization risk: admin have privileges: admin can set address to mint any amount of frxETH, can set any address as validator, and change important state in frxETHMinter and withdraw fund from frcETHMinter

frxETHMinter: Non-conforming ERC20 tokens not recoverable

Griefing attack on the Vaults is possible, withdrawing the winning side stakes

Founders can receive less tokens that expected

Truncation in casting can lead to a founder receiving all the base tokens

Unsafe usage of ERC20 transfer and transferFrom

NFT creator sales revenue recipients can steal gas

[H3] Persisted msg.value in a loop of delegate calls can be used to drain ETH from your proxy

Malicious targets can manipulate MIMOProxy permissions

It is possible to create fake ERC1155 NameWrapper token for subdomain, which is not owned by NameWrapper

Use of `payable.transfer()` may lock user funds

Use a safe transfer helper library for ERC20 transfers

`fillOrder()` and `exercise()` may lock Ether sent to the contract, forever

`_updateTwav()` and `_getTwav()` will revert when cumulativePrice overflows

Accumulated ETH fees of InfinityExchange cannot be retrieved

Malicious governance can use `updateWethTranferGas` to steal WETH from buyers

Protocol fee rate can be arbitrarily modified by the owner and the new rate will apply to all existing orders

Usage of deprecated transfer to send ETH

No cap on fees can result in a DOS in BathToken.withdraw()

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

The check for value transfer success is made after the return statement in _withdrawFromYieldPool of LidoVault

Use safeTransferFrom instead of transferFrom for ERC721 transfers

Owner can modify the feeRate on existing vaults and steal the strike value on exercise

safeTransferFrom is recommended instead of transfer (1)

Use of `.send()` May Revert if The Recipient's Fallback Function Consumes More Than 2300 Gas

Chainlink's latestRoundData might return stale or incorrect results

Chainlink pricer is using a deprecated API

STORAGE COLLISION BETWEEN PROXY AND IMPLEMENTATION (LACK EIP 1967)

WithdrawFacet's withdraw calls native payable.transfer, which can be unusable for DiamondStorage owner contract

A `pauser` can brick the contracts

Improper Upper Bound Definition on the Fee

[ConcurRewardPool] Possible reentrancy when claiming rewards