Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Griefing risk in `mint`

Multiple accounts can have the same identity

NFT creator sales revenue recipients can steal gas

User may get all of the creator fees by specifying high number for himself

Possible to bypass saleConfig.limitPerAccount

Any fractions deposited into any proposal can be stolen at any time until it is commited

Fund will be stuck if a buyout is started while there are pending migration proposals

Steal NFTs from a Vault, and ETH + Fractional tokens from users.

Division rounding can make fraction-price lower than intended (down to zero)

Cash-out from a successful buyout allows an attacker to drain Ether from the `Buyout` contract

An attacker can DoS vault's buyout with as little as 1 wei per 4 days

Order duration can be set to 0 by Malicious maker

Options with a small strike price will round down to 0 and can prevent assets to be withdrawn

Putty position tokens may be minted to non ERC721 receivers

ERC5095 redeem/withdraw does not update allowances

Incorrect implementation of APWine and Tempus `redeem`

Able to mint any amount of PT

Illuminate PT redeeming allows for burning from other accounts

[H-05] Not minting iPTs for lenders in several lend functions

Centralisation Risk: Admin Can Change Important Variables To Steal Funds

Missing Complication check in `takeMultipleOneOrders`

Malicious governance can use `updateWethTranferGas` to steal WETH from buyers

Maker order buyer is forced to reimburse the gas cost at any `tx.gasprice`

Protocol fee rate can be arbitrarily modified by the owner and the new rate will apply to all existing orders

Single Error Within SponsorVault Contract Could Cause Entire Cross-Chain Communication To Break Down

`LibDiamond.diamondCut()` should check `diamondStorage().acceptanceTimes[keccak256(abi.encode(_diamondCut))] != 0`

Diamond upgrade proposition can be falsified

Potential DoS when removing keeper gauge

Not updating `totalWeight` when operator is removed in `VeTokenMinter`

Governance can arbitrarily burn VeToken from any address

Ineffective ReserveRatio Enforcement

BathToken LPs Unable To Receive Bonus Token Due To Lack Of Wallet Setter Method

Attacker Could Steal Almost All The Bonus Token In BathBuddy Vesting Wallet

Strategists can't be removed

RubiconRouter: Excess ether did not return to the user

No cap on fees can result in a DOS in BathToken.withdraw()

Missing checks allow strategists to steal all fund via `tailOff`

Outstanding Amount Of A Pool Reduced Although Tokens Are Not Repaid

Admin rug vectors

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

Use `call()` instead of `transfer()` when transferring ETH in RubiconRouter

Use safeTransferFrom instead of transferFrom for ERC721 transfers

Owner can modify the feeRate on existing vaults and steal the strike value on exercise

Owner can set the feeRate to be greater than 100% and cause all future calls to `exercise` to revert

Vault is Not Compatible with Fee Tokens and Vaults with Such Tokens Could Be Exploited

Malicious token reward could disable withdrawals

Contract may not have enough fund to cover refund

ERC777 tokens can bypass `depositCap` guard

`_decimalMultiplier` doesn't account for tokens with decimals higher than 18

`getNewCurrentFees` reverts when `minFeePercentage` > `feeRatio`

Inconsistency between constructor and setting method for slippageTolerance

StakedCitadel doesn't use correct balance for internal accounting

Funding.deposit() doesn't work if there is no discount set

Reliance on lifiData.receivingAssetId can cause loss of funds

Reputation Risks with `contractOwner`

Incompatibility With Rebasing/Deflationary/Inflationary token

An offer made after auction end can be stolen by an auction winner

A vault can be locked from MarketplaceZap and StakingZap

Use safeTransfer instead of transfer