Asset confusion in `withdrawToNativeChain` allows swapping unauthorized funds

`GatewayCrossChain::claimRefund` allows anyone to steal Solana refunds

`GatewaySend::onRevert` fails to handle refunds for native gas tokens

`GatewayTransferNative::_doMixSwap` reverts when swapping from native gas token in `GatewayTransferNative::withdrawToNativeChain`

Attacker can overwrite legitimate refundsInfo by triggering `GatewayCrossChain::onRevert`

`GatewayCrossChain::claimRefund` sends refunded BTC to bitcoin address on ZetaChain, instead of a legitimate ZetaChain address.

`GatewaySend::_handleERC20Deposit`approve` will revert for non-standard ERC20 tokens like USDT.

VaultE4626Impl::commit causes over-withdrawal of tokens during rehypothecation

Fee from Vaults are absorbed by Protocol instead of User

RAACNFT mint function receives funds to address(this) but has no way of withdrawing them

RToken's transfer function lead to loss of funds due to incorrect math

Users can borrow more assets than they have deposited as collateral

NFTs Get Permanently Locked in Stability Pool After Liquidation

Any attempt to liquidate a user will fail, because StabilityPool does not hold crvUSD during operational lifecycle

Treasury Balance Tracking Bypass in FeeCollector

Attackers can double voting power and veToken amount by locking and increasing

Liquidation Cannot Be Closed Even With Healthy Position Due To Strict Debt Check

LendingPool.getUserDebt returns outdated value and can lead to liquidation failure

Emergency revoke in RAACReleaseOrchestrator will freeze revoked RAAC tokens in orchestrator

Wrong access control in `RAACToken::setFeeCollector`, `RAACToken::setSwapTaxRate`, `RAACToken::setBurnTaxRate`

`RAACReleaseOrchestrator::emergencyRevoke()` fails to update `categoryUsed`, leading to token lockup and incorrect accounting

Proposal Front-Running via Predictable Salt in `TimelockController::scheduleBatch`

StabilityVault can be drained of RTokens when LendingPool reserve.liquidityIndex >= 2 RAY

Emergency Timelock Bypass: No Enforced 1-Day Delay for Emergency Actions

`FeeCollector::updateFeeType` wrong fee share validation leads to impossible update for some fee types

Invalid Calls and Reverts Due to Trailing Zeros in FeeConversionKeeper’s Upkeep Data

BalancerRouter retains unused assets from maxAmountsIn, potentially causing user fund losses

Pool uses incorrect `currentPeriod` in `transferReserveToAuction(uint256 amount)`