`callFacet` is based on unprotected calls

[code423n4]

Handle

0x0x0x

Vulnerability details

callFacet is based on unprotected calls and user funds can get stolen using them. This is unsafe for users and at least this risk has to be better documented.

[loki-sama]

so maybe need to be documented better. But that is the intended behavior.

[0xleastwood]

As external calls are only initiated by an account satisfying the protectedCall modifier, it doesn't seem like this would be an issue. As the sponsor has pointed out, this is intended behaviour by the contract.