Owner can use fake staking pool to steal all NXM in vault

Tokens from arNXM vault are charged admin fee

maxDeposit() and maxMint() does not check for totalSupply <= MAX_SHARES

Missing slippage protection in provide liquidity means no way to protect against price fluctuation.

Attacker can exploit thin liquidity in xyk pool to save on fees.

Protocol loses out on fees when swapping via unbalanced deposits

Attacker can exercise option tokens to repeatedly relock victim's lp tokens.

User loses unclaimed rewards when merging tokens.

Voting power does not decay when calculating shares of flow emissions if the user does not vote again.