I agree with Vod's questions.
2 might be an even greater problem. Without a pre-existing whitelist or something like that, whats stopping me from creating a random erc-20 token and include it in a smart contract. In the end, I might receive something that is not useless?