Summary

Tokens such as USDC/USDT allows blacklisting of address. This prevents any transfer or receive on the blacklisted address. In the event a blacklist happen on the arbiter, even a trusted arbiter cannot resolve the dispute, and all assets will be stuck.

Vulnerability Details

Immutability can be a double edged sword here. While it fixes the amount of fees that arbiter can collect, the arbiter cannot choose to reject the fees. Once the contract is deployed with the necessary parameters such as i_arbiterFee, these values cannot be changed and the resolution of disputes will always attempt to transfer this fixed amount to the arbiter. A blacklisted arbiter will cause resolveDispute to always revert.

Even with the assumption of a trusted arbiter and an arbiter that is inherently trustable, the arbiter is forced to receive the arbiter fee. In the event that arbiter happens to have his address blacklisted during the dispute phase(note that this is out of his control), even a trusted arbiter cannot resolve dispute. This means that the dispute will never resolve and all assets will be stuck.

Impact

Considering that USDC/USDT is likely the most common tokens that are going to be used for the escrow contract, impact is high(loss of asset) with a low probability, I believe medium severity to be appropriate.

Tools Used

Manual Review

Recommendations

Consider introducing another parameter in resolveDispute that allows arbiter to choose the amount of fees they want to collect up to the maximum of i_arbiterFee.

This way, in the event of a blacklisted address, arbiter can still input 0 fees so that disputes can be resolved safely.