Inconsistent access control design allows unrestricted price feed creation

[niccolo-3sigma]

Description

The ERC4626PriceFeedFactory::createPriceFeed function creates clones of the price feed implementation and stores them in the priceFeedsByVault mapping without any restrictions. While the function validates that the vault address is not zero, it does not restrict who can call it or which vaults can have price feeds created for them. The contract imports Ownable, but the onlyOwner modifier is not used, resulting in inconsistent access control design.

function createPriceFeed(address vault, string memory description) external returns (address priceFeed) {
    require(vault != address(0), "zero vault address");

    priceFeed = implementation.clone();
    ERC4626PriceFeed(priceFeed).initialize(vault, description);
    priceFeedsByVault[vault].push(priceFeed);

    emit PriceFeedCreated(vault, priceFeed);
}

This design allows malicious actors to spam the factory with useless price feed creations, bloating the priceFeedsByVault mapping with potentially misleading or unnecessary entries.

Recommendation

Add the onlyOwner modifier to the createPriceFeed function to restrict price feed creation to the contract owner. If the lack of access control is intentional, consider removing the Ownable import to avoid confusion and make the design choice explicit.