BuilderWallet `init()` is unprotected/re-initializable, enabling takeover and theft of builder fees

Self-settlement via `dispatchFrom` bypasses refund mechanism allowing underfunded debt settlement

Withdrawing just before a bad debt event can increase losses for remaining liquidity providers

`dispatchFrom()` Liveness DoS via `StaleOracle`: Spot Price Manipulation Blocks Liquidations, Force Exercises, and Premium Settlements

Commission Share-Burn Distribution is JIT-Capturable When `builderCode == 0` (Default)

Borrower can extract unbacked Coin at the expense of the protocol

A single borrower being written off will create unbacked stablecoins for all users

Duplicate tranche tracking enables share-price inflation and owner withdrawal abuse.

Missing tranche update in extendDeposit causes underpriced shares.

Uniswap V3 liquidity operations lack slippage protection

Oracle APY sanity check weakens over time and stops protecting against price manipulation

Removing a reward token doesn’t reset state and later re-adding lets late stakers steal historical rewards

Malicious callers can throttle USDC/USDT/WBTC rewards by spamming getRewardFor.

Removing only the tail order from a limit does not reduce tree size, allowing order book to grow indefinitely

Anyone can DOS handleReallocation over and over

#Collateral level Inflation vulnerability

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win