MoneyMarket normal-supply withdraw clamps only the raw burn, but withdraws the user-requested token amount from Liquidity -> attacker drains pooled funds

LiquidityLayer failure credits stored balance under `to_`, but stored balances are spendable only by `msg.sender` (callback caller) -> EOA recipients payout becomes unclaimable

D3 liquidation uses manipulable DexV2 spot price to weight liquidation penalty, letting liquidators seize extra collateral

`removeTokenIdAtIndex` lets owner remove active staking NFTs from accounting to mint underpriced shares and drain the vault

Duplicate tranche entries let owner over-withdraw vault assets

`stNXM::extendDeposit` removes stake from accounting

Uniswap TWAP oracle bricks Morpho market when pool keeps default observation cardinality

Seller pays for buyerFeeRate inside of `MarketController::_executeTokenSwap` instead of buyer

`FeeWalker::up` will undercalculate `compoundingLiq` by a factor of `key.width()` for all unvisited nodes

Inconsistent high tick exclusivity between `WalkerLib::modify` and `PoolWalker::settle` resulting in inconsistent updates and settles

`TimedAdmin` implemented in `Diamond` is broken for `acceptOwnership` resulting in ownership not being able to be transferred

`NFTManager::_generateMetadata` and `NFTManager::_generateSVG` retrieves asset data from NFTManager storage instead of Diamond storage resulting in DoS of `NFTManager::tokenURI` calls

Arbitrary transfer from in public function `Payment::payWithERC20` allows an attacker to steal approved funds