underflow on liquidity withdrawal

[hexyls]

There is something a bit odd going on with the market called “WETH market” / 0xb4277c368b817db02bab8b684c9bfe10200461f7 on rinkeby, not sure yet but please avoid interacting with it for now so the state stays the same for more testing.

Potential there is an issue in the FixedProductMarketMaker contracts where withdrawFees can error out with an underflow preventing liquidity withdrawal (removeFunding -> _burn -> _beforeTokenTransfer -> withdrawFees btw)

[hexyls]

Steps to reproduce on Rinkeby:

1. Create a standard Yes / No Categorical market with 1 Dai funding
2. Switch to a different account
3. Buy 1 Dai worth of Yes tokens
4. Fund the market with 1 Dai
5. Buy another 1 Dai worth of Yes tokens
6. Withdraw 0.001 pool tokens
7. Try to withdraw any amount of the remaining pool tokens and it will fail

You can confirm the overflow by plugging the market address into https://rinkeby.etherscan.io/ and calling feesWithdrawableBy with your CPK address, it should display: “Error: Returned error: execution reverted: SafeMath: subtraction overflow”

How does this happen

Basically if there are no buys/sell between liquidity withdrawals the calculation for a user's fees can be slightly lower than at the time of the last withdrawal. This can cause an underflow when the previously claimed, higher fee amounts are subtracted from new lower fee amounts.

What we should do

Overall I think this bug is pretty low risk but it is good to know about. It can lock user funds but not indefinitely and simply buying/selling on the market will allow for liquidity to be withdrawn. Contracts should be fixed and if we need to we can force users to withdraw all their liquidity at once to reduce chances of this happening.