Front-running the create campaign making users overpay on fees

[hats-bug-reporter[bot]]

Github username: @skypper Twitter username: tudoratu Submission hash (on-chain): 0x0c4f668567bc6045f828f9c0ea56129743e2a4d14a6db4f85399a45bd0abcd62 Severity: medium

Description: Description\ Let's say a user (i.e. a campaign owner) intends to create a new campaign with a single asset and deposit up-front the total amount of 100 WETH.

Let's assume the user must pay a procotol fee of 1% (1 WETH) on creation, which is an amount that the campaign owner accepts.

A malicious owner notices the create campaign transaction and the owner can front-run the original transaction by calling setGlobalFee or setSpecificFee and set the highest fee possible of 10%, effectively stealing 9 WETH.

The likelihood of this issue is very low, however the severity is medium.

Attack Scenario

1. User submits a submits a transaction to create a campaign.
2. The owner front-runs the transaction by setting the highest fee.

[luzzif]

This is related to centralization risks of the solution, which are out of scope for the audit. In that sense the owner is fully trusted.