`ExecuteDepositUtils.getAdjustedLongAndShortTokenAmounts()` Will Always Fail

`getAdjustedLongAndShortTokenAmounts()` Incorrectly Calculates Amounts

`reclaimContract()` Can Be Called On Non-Existent Orders

Reentrancy in `withdrawToken()` May Delete The Next User's Balance

HIGH: Malicious Assets Can Be Added By Calling `removeLiquidity()` in SushiSwap

MED/HIGH: Blacklisting An Asset Prevents Liquidation

`acceptCounterOffer()` May Result In Both Orders Being Filled

`fillOrder()` and `exercise()` may lock Ether sent to the contract, forever

Malicious Token Contracts May Lead To Locking Orders

Overlap Between `ERC721.transferFrom()` and `ERC20.transferFrom()` Allows `order.erc20Assets` or `order.baseAsset` To Be ERC721 Rather Than ERC20

Allowance check always true in ERC5095 redeem

ERC5095 redeem/withdraw does not update allowances

Able to mint any amount of PT

Funds may be stuck when `redeeming` for Illuminate

[H-05] Not minting iPTs for lenders in several lend functions

Division Before Multiplication Can Lead To Zero Rounding Of Return Amount

Pendle Uses Wrong Return Value For `swapExactTokensForTokens()`

Swivel lend method doesn't pull protocol fee from user

Lend method signature for illuminate does not track the accumulated fee

sellPrincipalToken, buyPrincipalToken, sellUnderlying, buyUnderlying uses pool funds but pays msg.sender

`Lender.mint()` May Take The Illuminate PT As Input Which Will Transfer And Mint More Illuminate PT Cause an Infinite Supply

Centralisation Risk: Admin Can Change Important Variables To Steal Funds

Calls To `Swivel.initiate()` Do Not Verify `o.exit` or `o.vault` Allowing An Attacker To Manipulate Accounting In Their Favour

auraBAL can be stuck into the Strategy contract

Badger rewards from Hidden Hand can permanently prevent Strategy from receiving bribes

Duplicate LP token could lead to incorrect deposits

`VE3DRewardPool` and `VE3DLocker` adds to an unbounded array which may potentially lock all rewards in the contract

Misconfiguration of Fees Incentive Might Cause Tokens To Be Stuck In `Booster` Contract

Centralisation RIsk: `VoterProxy` owner may set the `operate` to an address they own and drain all token balances

User will lose funds

Integer overflow will lock all rewards in `AuraLocker`

Admin drains all ERC based user funds using withdrawERC20()

Splitter: Anyone can call incrementWindow to steal the tokens in the contract

CoreCollection can be reinitialized

ERC20 transferFrom return values not checked

DoS: `claimForAllWindows()` May Be Made Unusable By An Attacker

Centralisation RIsk: Owner Of `RoyaltyVault` Can Take All Funds

createProject can be frontrun

DoS: Attacker May Front-Run `createSplit()` With A `merkleRoot` Causing Future Transactions With The Same `merkleRoot` to Revert

Ineffective Handling of FoT or Rebasing Tokens

Fixed Amount of Gas Sent in Call May Be Insufficient

Reliance on lifiData.receivingAssetId can cause loss of funds

Swap functions are Reenterable

`AnyswapFacet` can be exploited to approve arbitrary tokens.

ERC20 bridging functions do not revert on non-zero msg.value

Reputation Risks with `contractOwner`

Anyone can get swaps for free given certain conditions in `swap`.

`msg.value` is Sent Multipletimes When Performing a Swap

Strategy Migration May Leave Tokens in the Old Strategy Impacting Share Calculations

`permitAndMulticall()` May Be Used to Steal Funds Or as a Denial Of Service if `_from` Is Not The Message Sender

Gas Pricing Can Be Used To Extort Funds From Users of SChain Owner

Centralisation Risk: Admin Role of `TokenManagerEth` can Rug Pull All Eth from the Bridge

Not compatible with Rebasing/Deflationary/Inflationary tokens

Schain owners can rug pull users' funds

denial fo service

ClearingHouse May Whitelist Duplicate AMMs

AMM Cannot Be `initialize()` Except By Governance

Users are able to front-run bad debt settlements to avoid insurance costs

Changing `bribeVault` in `RewardDistributor.sol` will Lock Current ETH Rewards

`ConvexStakingWrapper._calcRewardIntegral()` Can Be Manipulated To Steal Tokens From Other Pools

[WP-H8] `ConvexStakingWrapper.sol#_calcRewardIntegral` Wrong implementation can disrupt rewards calculation and distribution

`MasterChef.updatePool()` Fails To Update Reward Variables If `block.number >= endBlock`

[ConcurRewardPool] Possible reentrancy when claiming rewards

Loss Of Flash Governance Tokens If They Are Not Withdrawn Before The Next Request

Lack of access control on `assertGovernanceApproved` can cause funds to be locked

Calling `generateFLNQuote` twice in every block prevents any migration

You can flip governance decisions without extending vote duration

Reentrancy on Flash Governance Proposal Withdrawal

Burning a User's Tokens for a Flash Proposal will not Deduct Their Balance

Re-enterable Code When Making a Deposit to Stake

LP Tokens May Be Locked in Contract Due to `allowEmergencyWithdraw()` in Stage 3

Reenterancy in `_sendSherRewardsToOwner()`