Incorrect handling of pricefeed.decimals()

Griefing attack on the Vaults is possible, withdrawing the winning side stakes

Different Oracle issues can return outdated prices

Use can get unlimited votes

Creating a new governance proposal can be prevented by anyone

Founders can receive less tokens that expected

Truncation in casting can lead to a founder receiving all the base tokens

`Token:mint`: infinite loop if the founders' shares sum up to 100

Changing treasury owner through `transferOwnership()` can break `Governer.sol` and `Auction.sol`

Proposals can be bricked and Auctions stalled by bad settings

Index out of bounds error when properties length is more than attributes length breaks minting

ERROR IN UPDATING **_checkpoint** IN THE **increaseUnlockTime** FUNCTION

The current implementation of the VotingEscrow contract doesn't support fee on transfer tokens

Inconsistent logic of increase unlock time to the expired locks

`increaseUnlockTime` missing `_checkpoint` for delegated values

Attacker contract can avoid being blocked by BlockList.sol

Builder can halve the interest paid to a community owner due to arithmetic rounding

Project funds can be drained by reusing signatures, in some cases

Possible DOS in `lendToProject()` and `toggleLendingNeeded()` function because unbounded loop can run out of gas

Mismatch in `withdraw()` between Yearn and other protocols can prevent Users from redeeming zcTokens and permanently lock funds

Interface definition error

transfer() depends on gas consts

Migration can permanently fail if user specifies different lengths for `selectors` and `plugins`

Division rounding can make fraction-price lower than intended (down to zero)

An attacker can DoS vault's buyout with as little as 1 wei per 4 days

Delegate call in `Vault#_execute` can alter Vault's ownership

Use of `payable.transfer()` may lock user funds

`_harvest` has no slippage protection when swapping `auraBAL` for `AURA`

Badger rewards from Hidden Hand can permanently prevent Strategy from receiving bribes

Total Supply is not guaranteed and is not deterministic.

it's possible to initialize contract BkdLocker for multiple times by sending startBoost=0 and each time different values for other parameters

Users can claim extremely large rewards or lock rewards from LpGauge due to uninitialised `poolLastUpdate` variable

MerkleResistor: zero coinsPerSecond will brick tranche initialization and withdrawals

Lender is able to seize the collateral by changing the loan parameters

StakedCitadel: wrong setupVesting function name