Invalid DISPUTED_L2_BLOCK_NUMBER is passed to VM

Honest party's move could become invalid when re-org takes place

In some cases, proper CLOCK_EXTENTSION time cannot be ensured to generate the initial instruciton trace

Attacker can continuously create games for not yet safe l2 blocks to prevent the update of anchor state

Edge from dishonest challenge edge tree can inherit timer from honest tree allowing confirmation of incorrect assertion

Adversary can make honest parties unable to retrieve their assertion stakes if the required amount is decreased

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Attacker can reenter to mint all the collection supply

On a Linear or Exponential Descending Sale Model, a user that mint on the last `block.timestamp` mint at an unexpected price.

Artist signatures can be forged to impersonate the artist behind a collection

When price is within within position's range, `deposit` at TokenisableRange can cause loss of fund

Resetting delegation will result in user funds being lost forever

depositWithPermit and mintWithPermit are allowed to be called by permit creator only

Number of prize tiers always increases if just 1 canary prize is claimed

`drawManager` CAN BE SET TO A MALICIOUS ADDRESS

[HF06] `BaseTOFT.sol`: `retrieveFromStrategy` can be used to manipulate other user's positions due to absent approval check.

[HF08] `BaseTOFTLeverageModule.sol`: `leverageDownInternal` tries to burn tokens from wrong address

Incorrect formula used in function `Market.computeClosingFactor()`

Refund mechanism for failed cross-chain transactions does not work

Ability to steal user funds and increase collateral share infinitely in BigBang and Singularity

The BigBang contract take more fees than it should

`BaseTOFTSTrategyModule.strategyWithdraw()` cross chain call will fail due to missing approvals

User could be forced to withdraw more amount than desired when calling `retrieveFromStrategy`

`multiHopSell` and `multiHopBuy` can be frontrunned with high slippage tolerance

The twTAP multiplier can be compromised with manipulated deposits of low value cost and high duration

SGLLendingCommon.sol: The totalBorrowCap validation is incorrect

LlamaPolicy could be DOS by creating large amount of actions.

Ulysses omnichain - RetrieveDeposit might never be able to Trigger the Fallback function

`UlyssesToken` asset ID accounting error

Malicious user can set any contract as local hToken for an underlying since there is no access control for "_addLocalToken"

Attacker can redeposit gas after "forceRevert()" to freeze all deposited gas budget of Root Bridge Agent

Missing unwrapping of native token in RootBridgeAgent.sweep() causes fees to be stuck

User can bypass bandwidth limit by repeatedly "balancing" the pool

Attacker can exploit "deposit" to drain Ulysess Liquidity Pool

Reentrancy attack possible on `RootBridgeAgent.retrySettlement()` with missing access control for `RootBridgeAgentFactory.createBridgeAgent()`

User underpay for the remote call execution gas on root chain

Attacker can steal Accumulated Awards from RootBridgeAgent by abusing retrySettlement()

`RootBridgeAgent->CheckParamsLib#checkParams` does not check that `_dParams.token` is underlying of `_dParams.hToken`

Due to inadequate checks, Adversary can call `BranchBridgeAgent#retrieveDeposit` with an invalid `_depositNonce`, which would lead to loss of other users' deposit.

Use of slot0 to get sqrtPriceLimitX96 can lead to price manipulation.

Cross-chain messaging via Anycall will fail

Incorrect accounting logic for fallback gas will lead to insolvency

User can "callOutSigned" without paying for gas by reentering "anyExecute" with virtual account

RestakeToken function is not permissionless

deposit gas through depositGasAnycallConfig should not withdraw the nativeToken

`RootBridgeAgent.redeemSettlement` can be front-run using `RootBridgeAgent.retrySettlement` causing redeem DoS

Exchange Rate can be manipulated

_ensureMaxLoops causes liquidateAccount to fail in certain condition

liquidateAccount will fail if transaction is not included in current block

User can exponentially increase the value of their position through the memorializePositions function