`removeTokenIdAtIndex` lets owner remove active staking NFTs from accounting to mint underpriced shares and drain the vault

Duplicate tranche entries let owner over-withdraw vault assets

`stNXM::extendDeposit` removes stake from accounting

Uniswap TWAP oracle bricks Morpho market when pool keeps default observation cardinality

Oracle Data Corruption via Storage Key Collision

Router does not check if Exact Out Single Swap was partial leading to unexpected results for the users

Seller pays for buyerFeeRate inside of `MarketController::_executeTokenSwap` instead of buyer

`FeeWalker::up` will undercalculate `compoundingLiq` by a factor of `key.width()` for all unvisited nodes

Inconsistent high tick exclusivity between `WalkerLib::modify` and `PoolWalker::settle` resulting in inconsistent updates and settles

`TimedAdmin` implemented in `Diamond` is broken for `acceptOwnership` resulting in ownership not being able to be transferred

`NFTManager::_generateMetadata` and `NFTManager::_generateSVG` retrieves asset data from NFTManager storage instead of Diamond storage resulting in DoS of `NFTManager::tokenURI` calls

Arbitrary transfer from in public function `Payment::payWithERC20` allows an attacker to steal approved funds