The absence of proper access control in the `updateDownsideProtected` function exposes the protocol to potential malicious actions.

Malicious Actors Can Exploit Incorrect USDa-USDT Price in redeemUSDT Function to Drain Funds

Incorrect Update of `calculateCumulativeRate` in `_withdraw` Results in Erroneous Interest Calculation

`marketfunds ` are wrongly updated in `buyVote` function

Fees are also applied to the refund amount during the process of buying votes.

rounding error due to internal accounting and can steal some portion of the first depositors funds