`_doSherX` optimistically assumes premiums will be paid

[code423n4]

Handle

cmichel

Vulnerability details

The _doSherX function does not attempt to pay off the accrued premiums ("pay off debt") for most tokens, only for the ones that would otherwise revert the tx:

// Expensive operation, only execute to prevent tx reverts
if (amounts[i] > ps.sherXUnderlying) {
  LibPool.payOffDebtAll(tokens[i]);
}

The amounts = LibSherX.calcUnderlying(totalSherX) array is an optimistic view assuming all outstanding, accrued premiums would indeed be paid until now. However, it could be that a protocol does not have enough balance to pay out these premiums and updating the state using LibPool.payOffDebtAll(tokens[i]); would fail for a token.

An inflated amount is then paid out to the user based on the optimistic calcUnderlying call.

[Evert0x]

Fair point, the protocol is optimistic the protocols can payoff their debt.