Factory `create_pool` Allows Spoofing of `creator` Parameter, Risking Frontend Attribution

A security issue in the Factory contract allows an authorized user to spoof pool ownership, creating a risk of misattribution on the frontend dashboard. The `create_pool` function accepts an arbitrary address as the `creator` parameter, which is then broadcast in an event. This means the recorded creator is not necessarily the authenticated initiator of the transaction, but simply a caller-supplied value.

The core problem lies in the decoupling of authorization from attribution. Whitelisted relay addresses, which are authorized to call the function, can—either maliciously or accidentally—specify any address as the `creator`. This flaw does not constitute a direct smart contract vulnerability affecting funds or logic, but it directly impacts the project's indexing and social proof systems. The frontend UI relies on these events to correctly attribute newly created pools to users, a trust mechanism now compromised.

This misattribution risk undermines the integrity of the user-facing dashboard, where social proof and accurate ownership records are critical. The proposed fix is to enforce a strict link between the caller and the creator, either by requiring `caller == creator` for whitelisted addresses or by mandating `creator.require_auth()`. Without this change, the system's external representation of ownership remains manipulable, creating a vector for confusion and potential reputational damage within the community.