Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Submission Details
Severity: low
Valid

Whitelisted tokens can´t be removed once added.

Summary

Once token addresses have been added to the whitelistedTokens mapping, they can´t be removed from there.

Vulnerability Details

Adding tokens in the constructor during the contract setup requires careful attention by the deployer, however it doesn´t guarantee that no mistakes can occur.
The addresses are added as an array, therefore consider a typo or adding a wrong address.
What if a token itself has some vulnerabilities and loses value?
Tokens are still smart contracts at the end.

I don´t see a reason why there is no implementation of a function which can unlist tokens. As already described even a token to be considered fine a small typo can lead to redeployment of the entire ProxyFactory. However I consider it as medium severity, because tokens are prone to price changes and issues which might pose financial risks for their users. Therefore it is the admin role to help protect and secure the protocol.

Consider also the risk of a dishonest admin adding a malicious token. If control is later handed to a trustworthy admin, the problematic token remains. Therefore now the malicious admin can rug pull that token and lead to massive losses for the users. More important the new admin will not be able to do anything, that can seriously affect the reputation of the project.

Impact

Financial lost for users

Tools Used

Manual review

Recommendations

Add a function where the admin can remove whitelisted tokens, and ideally add after deployment as well.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.