The _doSherX function does not attempt to pay off the accrued premiums ("pay off debt") for most tokens, only for the ones that would otherwise revert the tx:
// Expensive operation, only execute to prevent tx reverts
if (amounts[i] > ps.sherXUnderlying) {
LibPool.payOffDebtAll(tokens[i]);
}
The amounts = LibSherX.calcUnderlying(totalSherX) array is an optimistic view assuming all outstanding, accrued premiums would indeed be paid until now.
However, it could be that a protocol does not have enough balance to pay out these premiums and updating the state using LibPool.payOffDebtAll(tokens[i]); would fail for a token.
An inflated amount is then paid out to the user based on the optimistic calcUnderlying call.
Handle
cmichel
Vulnerability details
The
_doSherX
function does not attempt to pay off the accrued premiums ("pay off debt") for most tokens, only for the ones that would otherwise revert the tx:The
amounts = LibSherX.calcUnderlying(totalSherX)
array is an optimistic view assuming all outstanding, accrued premiums would indeed be paid until now. However, it could be that a protocol does not have enough balance to pay out these premiums and updating the state usingLibPool.payOffDebtAll(tokens[i]);
would fail for a token.An inflated amount is then paid out to the user based on the optimistic
calcUnderlying
call.