Missing token whitelist validation in ACTION_CUSTOM path

The ACTION_CUSTOM path in ManagementAccount::executeServiceAction does not validate whether involved tokens are whitelisted in the TokenWhitelistRegistry. While standard actions (deposit, withdraw, borrow, repay) explicitly check token whitelist status, custom actions bypass this validation:

function executeServiceAction(
    address service,
    string calldata action,
    bytes calldata params
)
    external
    override
    onlyOwner
    nonReentrant
    returns (bytes[] memory results)
{
    [...]
    if (actionHash == ACTION_DEPOSIT) {
        (address asset, uint256 amount, bool isCollateral) = abi.decode(params, (address, uint256, bool));
!       if (!_tokenWhitelistRegistry().isTokenWhitelisted(asset)) {
            revert ManagementAccountErrors.TokenNotWhitelisted(asset);
        }
        calls = IService(service).buildDeposit(asset, amount, isCollateral);
    }
    [...]
    else if (actionHash == ACTION_CUSTOM) {
!       calls = IService(service).buildCustom(params);
    }
    [...]
}

The responsibility for token validation is delegated to the service's buildCustom implementation. As of the time of writing, MorphoService::buildCustom returns an empty call array, and the protocol does not use custom actions. However, if future services implement buildCustom functionality, they should ensure proper token whitelist validation to maintain consistent security controls across all action types.

We recommend documenting in the IService interface that buildCustom implementations must validate token addresses against the whitelist registry if they involve token operations, ensuring consistent security guarantees across standard and custom actions.