Once token addresses have been added to the whitelistedTokens mapping, they can´t be removed from there.
Adding tokens in the constructor during the contract setup requires careful attention by the deployer, however it doesn´t guarantee that no mistakes can occur.
The addresses are added as an array, therefore consider a typo or adding a wrong address.
What if a token itself has some vulnerabilities and loses value?
Tokens are still smart contracts at the end.
I don´t see a reason why there is no implementation of a function which can unlist tokens. As already described even a token to be considered fine a small typo can lead to redeployment of the entire ProxyFactory. However I consider it as medium severity, because tokens are prone to price changes and issues which might pose financial risks for their users. Therefore it is the admin role to help protect and secure the protocol.
Consider also the risk of a dishonest admin adding a malicious token. If control is later handed to a trustworthy admin, the problematic token remains. Therefore now the malicious admin can rug pull that token and lead to massive losses for the users. More important the new admin will not be able to do anything, that can seriously affect the reputation of the project.
Financial lost for users
Manual review
Add a function where the admin can remove whitelisted tokens, and ideally add after deployment as well.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.