Cross-Chain Signature Replay Attack Due to User-Supplied `domainSeparator` and Missing Deadline Check

Lack of deadline check in forwarded request

Single plot can be occupied by multiple renters

Failure to Update Dirty Flag in transferToUnoccupiedPlot Prevents Reward Accumulation On Valid Plot

[H-01] Miscalculation in `_farmPlots` function could lead to a user unable to unstake all NFTs

Users can farm on zero-tax land if the landlord locked tokens before the LandManager deployment

Loss of rewards due to rounding when the reward token has low decimals (wbtc)

DoS on deposits when the underlying market is highly utilized

Users can vote with expired MLUM staking positions

Attacker can block all votes to a specific pool by triggering an overflow error

Attacker can block others from offering bribes

First Depositor Attack

Bad debt isn't cleared when `earningsAccumulator` is lower than a fixed-pool bad debt

Fixed interest rates can be manipulated by a whale borrower

Theft of unassigned earnings from a fixed pool

DoS on liquidations when utilization rate is high

Manipulation of the floating debt by updating `floatingBackupBorrowed`

Large amount of points can STILL be minted without any cost

Attacker can steal LPs funds by using different oracle prices in the same transaction

Inability to liquidate whitelisted makers will cause bad debt on the protocol

Attacker can sandwich its own position settlement on `SpotHedgeBaseMaker` to get a better price and have instant profits

Missing Access Control for `trackVaultFee` Leading to a DoS in Trading Operations

Vault Inflation Attack

Permanent lock of all funds when the funding fees are bigger than total margin

Attacker can steal funds due to settling PnL with wrong price on a liquidation

Users can avoid paying trade fees on limit orders

Inability to Liquidate Certain Positions Due to Erroneous Stable Collateral Update

First Depositor of Stable Collateral will cause a System-Wide Denial of Service

Users Can Exceed Maximum Skew Due to Unsettled PnL

Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

Unauthorized Access to setCurves Function

Protocol and referral fee would be permanently stuck in the Curves contract when selling a token

onBalanceChange causes previously unclaimed rewards to be cleared

Withdrawing with amount = 0 will forcefully set name and symbol to default and disable some functions for token subject

Theft of holder fees when `holderFeePercent` was positive and is set to zero

The userGaugeProfitIndex is not set correctly, allowing an attacker to receive rewards without waiting

Users staking via the `SurplusGuildMinter` can be immediately slashed when staking into a gauge that had previously incurred a loss

Wrong ProfitManager in GuildToken, will always revert for other types of gauges leading to bad debt

`totalBorrowedCredit` can revert, breaking gauges.

Inability to offboard term twice in a 7-day period may lead to bad debt to the market

Incorrect calculations in debtCeiling

LendingTerm::debtCeiling() can return wrong debt as the min() is evaluated incorrectly

Incorrect implementation of `BPF` leads to kicker losing rewards in a `take` action

Function `_indexOf` will cause a settlement to revert if `auctionPrice > MAX_PRICE`

Incorrect decimal usage in score calculation leads to reduced user reward earnings

Prime.sol - User can claim Prime token without having any staked XVS, because his `stakedAt` isn't reset whenever he is issued an irrevocable token.

Lack of sequencer uptime check when getting oracle data for Arbitrum or Optimism

Lack of checks to avoid stale prices from Chainlink oracle

Unchecked Return Values in ERC20 Transfer Function

FootiumAcademy allows clubs to mint one extra player each season

Can't pause or remove a minter

No slippage control when minting and redeeming FPS