Description

The proxyCall function has checks to ensure no calls made to it result in a decrease of capital. However, it has incomplete checks to ensure there are no calls made that could result in a future decrease of capital. For example, it currently includes a filter for approve but none for newer functions like increaseAllowance.

Impact

The proxyCall function can only be called by the sandwich bot. In the case of a compromise or a security incident involving keys, the lack of the requisite checks could result in a loss of funds.

Recommendations

We recommend adding a check for the increaseAllowance function selector. The use of an adjustable white list or black list to control allowed functions would provide additional flexibility for unforseen risky functions. The management of the white list/black list should be delegated to another administrative account to limit centralization risk.

Remediation

Revest has indicated this will be resolved at deployment-time by modifying the deployment-script to include the increaseAllowance function signature.