can create infinite amount of payouts per claim

[rapidddenis]

in createPayout

gif-contracts/contracts/modules/PolicyController.sol

Lines 389 to 394 in b58fd27

	function createPayout(
	bytes32 processId,
	uint256 claimId,
	uint256 payoutAmount,
	bytes calldata data
	)

Implementation does not limits number of payouts per claim nor limits their cumulative payoutAmount.
In this situation it is possible to create any number of payouts with their cumulative payoutAmount exceeding claim.claimAmount and then process them. In this case claim.paidAmount > claim.claimAmount and claim will refuse to close.

[matthiaszimmermann]

true, this observation is also valid for createClaim an arbitrary amount of claims can be created per policy.

we will need to consider if we want to limit these numbers. when we do it would consume some additional gas which every user has to pay. when we keep the current state it is either the product owner or the policy holder (depending on product implementtion) who pays the gas for creating claims/payouts which creates an incentive not to open an arbitrary amount of claims/payouts.

let's consider the situation where the product owner pays the gas for creating claims/payouts. it is in the direct interest of the product owner to restrict these numbers which will make the product owner implement the product in a way to implement these checks (with the benefit that only stakeholders to that product pay more for creating claims/payouts).

when the policy holder pays the gas for creating claims/payouts the situation might be similar as it is expensive to the policy holder to create claims/payouts. the product owner needs to decide if she/he feels comfortable whith the situation or if restricting these numbers is an attack vector they don't want to live with.