RAACNFT mint function receives funds to address(this) but has no way of withdrawing them

Reward manipulation vulnerability in StabilityPool

Users can borrow more assets than they have deposited as collateral

NFTs Get Permanently Locked in Stability Pool After Liquidation

Any attempt to liquidate a user will fail, because StabilityPool does not hold crvUSD during operational lifecycle

Double Usage Index Scaling in StabilityPool Liquidation Inflates Required CRVUSD Balance

Untracked Direct Fee Transfers from RAACToken to FeeCollector Break Fee Distribution System

RToken.transferFrom() Does Not Scale User Balances Due to Stale Liquidity Index

Users Can Lose Funds and Collateral by Repaying Loans After Liquidation Grace Period Expiry

There is no logic checking for RAACNFT price staleness before minting it

Treasury Contract Deposit Function Can Be Frontrun To Deny Protocol Operations

Liquidations are enabled when repayments are disabled, causing borrowers to lose funds without a chance to repay

Emergency revoke in RAACReleaseOrchestrator will freeze revoked RAAC tokens in orchestrator

Multiple Token Management Lets Withdraw a Token Different than Deposited Token

Flawed Boost Multiplier Calculation Always Yields Maximum Boost

balanceOf(address(this)) in StabilityPool causes reward distribution to be higher than it should be

The earned yield from the Curve vault can never be utilized when withdrawing or borrowing

closeLiquidation within LendingPool does not allow partial repayments, which can cause massive losses to users within edge case

Incorrect Timestamp Tracking in RAACHousePrice contract

Incorrect `AutoDeleverageFactor`.

Unable to swap USD token to collateral for vaults in credit

not adding `claimable` balance to the total assets in `_harvestAndReport` can cause losses.