simon135 - owner can create projects for other product coordinator

[sherlock-admin]

simon135

medium

owner can create projects for other product coordinator

Summary

the 0 productOwner/owner can front run/backrun and create projects for other product owners causing their incentive project to be closed/lost

Vulnerability Detail

steps:

1. coordinator 1 makes tx to create a project with 30,000 usdc

2. owner(coordinator (0) makes tx to back runs the project but with ProgramInfo.amount=0 and funds will stuck for long period of time or forever

   Impact

   the owner can cause a loss of funds for the real owner of the coordinator

   Code Snippet

   // @audit here is the check that should be removed 
   if (programInfo.coordinatorId != 0 && programInfo.coordinatorId != _controller.coordinatorFor(product))
           revert IncentivizerNotAllowedError(product);
       if (active(product) >= _controller.programsPerProduct())
           revert IncentivizerTooManyProgramsError();
       ProgramInfoLib.validate(programInfo);
   
       // Take fee
       UFixed18 programTotal = programInfo.amount.sum();
       UFixed18 programFeeAmount = programInfo.deductFee(_controller.incentivizationFee());
       fees[programInfo.token] = fees[programInfo.token].add(programFeeAmount);
   
       // Register program
       programId = _products[product].register(programInfo);
   
       // Charge creator
   // @audit This should be zero but we increase the same project with 1000 years in the future
       programInfo.token.pull(msg.sender, programTotal);

   Tool used

Manual Review

Recommendation

remove the check that allows coordinator(0) to run create for other products coordinators