Single under-funded protocol can break paying off debt

[code423n4]

Handle

cmichel

Vulnerability details

The SherXERC20.payOffDebtAll function iterates over all protocols of the token. If a single project does not have enough funds to cover the premium payments, the transactions come to a halt, see _payOffDebt:

debt = _accruedDebt(ps, _protocol, _blocks);
// this can revert tx
ps.protocolBalance[_protocol] = ps.protocolBalance[_protocol].sub(debt);

Impact

Many core functions require paying off debt first and can therefore revert when a single protocol cannot pay the token premium:

• setTokenPrice
• setProtocolPremium
• withdrawProtocolBalance
• redeem
• etc.

This scenario that a protocol is unable to pay a premium does not seem unlikely especially as there can be many protocols and each protocol can pay premiums in potentially many tokens and have to continuously re-deposit to their account to increase the balance. It is also rather involved to remove the protocol's coverage and remove the premium payments for the token. It requires governance interaction and potentially paying for the accumulated debt themselves.

[Evert0x]

This was a design tradeoff. As governance we can see it coming as the balance is slowly draining. But the fact the protocols are able to withdraw the full amount at any time could surprise the governance. (and make the reverts in the functions above happening)

We are thinking to add a rule in the withdrawProtocolBalance to only allow withdrawals with at least 2 days of remaining balance. Allowing enough time for governance calls to remove the protocol.