Defaulted debt in Idle CDO is not handled correctly, can lead to incorrect accounting

Unauthorized Reallocation in `NudgeCampaign::handleReallocation` and Reward Disruption Vulnerability in `NudgeCampaign::invalidateParticipations`

`payWithERC20` can be used in a malicious way to steal funds

Staking reward rate can be diluted indefinitely by a malicious actor

Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

Wrong refundExecutionFee in _handleReturn

Loss of fee refund due to premature state deletion in `PerpetualVault::_handleReturn` function

Functions that rely on chainlink prices cannot be queried on avalanche due to sequencer uptime check.

RToken's transfer function lead to loss of funds due to incorrect math

NFTs Get Permanently Locked in Stability Pool After Liquidation

Inconsistent Scaling in RToken Transfer Functions

Cordinated group of attacker can artificially lower quorum threshold during active proposals forcing malicious proposals to pass without true majority support.

Compound debt is only applied to the latest user's borrowing

Incorrect Initialization of minBoost in BaseGauge Constructor Breaks Core Contract Functionality

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

A successful auction can never be ended

Balancer LP tokens can be lost under some conditions in `joinBalancerAndPredeposit`

Some coupon tokens will never be claimed and stuck in contract

`Auction::totalSellReserveAmount` counts for fees when ending auction when it shouldn't

Old router retains token allowance after update

Incorrect accounting of `marketFunds` in `ReputationMarket::buyVotes`

Claim signature can be used by anyone, makes frontrunning and stealing funds possible

A compromised address can still interact with the protocol

`V2AMO` is not compatiable with Aerodrome gauges

Impossible to clawback incentives due to `onlyOwner` modifier

The protocol is not compatible with FOT tokens

The protocol is not compatible with abstract wallets

`FjordAuction` incorrect `block.timestamp` check allows users to bid after calling `auctionEnd` to claim more tokens than they should

`WinnablesTicketManager::cancelRaffle` lacks access control, can result DoS and LINK token loss

When raffles are cancelled in `WinnablesTicketManager`, `_lockedETH` is not updated correspondingly

Incorrect set up and logic of `referralInfoMap` in `SystemConfig::updateReferrerInfo` function

Unnecessary balance checks and precision issues in TokenManager::_transfer

The maximum number of generations is infinite

Wrong minting logic based on total token count across generations

`Golden God` Tokens can be minted twice per generation

User may lose funds when creating Nexus account or executing user operations

Incompatibility with Multisig Wallets in `TempleGold::send` Function

Not upadting `_totalAuctionTokenAllocation` when removing last auction config at cooldown leads to wrong accounting of `_totalAuctionTokenAllocation` and permanent lock of auction tokens

Availability of deposit invariant can be bypassed

`liquidateDefaultedLoanWithIncentive` does not send collaterals to function caller

Collection referrer fees are sent to the wrong address in `FeeManager.sol`

`Edition.mintBatch` allows anyone to mint multiple works at the price of one

Fee manager doesn't verify msg.value and may lead to multiple problems

One of the `Edition.mintBatch` function will always revert

Some info is not updated if a work gets tranferred

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

When APR late rate is lower than APR, an OCC locker bullet loan borrower can pay way less interests by calling the loan

A malicious attacker can brick the pair permanently and make `takeOverPool` function useless.

User's delegate line in veMento is not updated when user withdraws

Any fee claim lesser than the total `yieldFeeBalance` as unit of shares is lost and locked in the `PrizeVault` contract

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Adversary can prevent updating price feed addresses by creating poisonous proposals ending in `_confirm`

Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale

Unauthorized Access to setCurves Function

Withdrawing with amount = 0 will forcefully set name and symbol to default and disable some functions for token subject

Rewards can be drained because of lack of access control

Anyone can call the burn function in SmartVaultV3.sol

CultureIndex.sol#dropTopVotedPiece() - Malicious user can manipulate topVotedPiece to DoS the whole CultureIndex and AuctionHouse

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Attacker can reenter to mint all the collection supply

Malicious/Compromised organiser can reclaw all funds, stealing work from supporters

Centralization Risk for trusted organizers