This came up during the audt:

https://github.com/Cyfrin/audit-2025-12-statusl2/issues/1

TLDR:

• StakeVault.initialize() allows for creating vaults for other users
• Malicious users can create many vaults for a victim and DDOS them

We need to ensure that nobody can set anyone else as the owner of a vault.