`removeTokenIdAtIndex` lets owner remove active staking NFTs from accounting to mint underpriced shares and drain the vault

Duplicate tranche entries let owner over-withdraw vault assets

`stNXM::extendDeposit` removes stake from accounting

Uniswap TWAP oracle bricks Morpho market when pool keeps default observation cardinality

Seller pays for buyerFeeRate inside of `MarketController::_executeTokenSwap` instead of buyer

`FeeWalker::up` will undercalculate `compoundingLiq` by a factor of `key.width()` for all unvisited nodes

Inconsistent high tick exclusivity between `WalkerLib::modify` and `PoolWalker::settle` resulting in inconsistent updates and settles

`TimedAdmin` implemented in `Diamond` is broken for `acceptOwnership` resulting in ownership not being able to be transferred

`NFTManager::_generateMetadata` and `NFTManager::_generateSVG` retrieves asset data from NFTManager storage instead of Diamond storage resulting in DoS of `NFTManager::tokenURI` calls

Arbitrary transfer from in public function `Payment::payWithERC20` allows an attacker to steal approved funds