Summary

All the funds can be freezed in the contract in a particular case.

Vulnerability Details

Consider the following scenario:

1. A Protocol made a new escrow account with token as USDC and kept an address as arbiter with fees = let's say x USDC which is obviously greater than zero.

2. There arise a situation, where due to conflict, anyone among buyer or seller called initiateDispute.

3. Now, in case i_arbiter is an address which gets added in blocklist of USDC for some reason, then:

Link to code

because of the above lines, i_arbiterFee will be always greater than zero and as the arbiter is in blocklist, the function will always revert and there is no way to take the funds out as both i_arbiter and i_arbiterFee are immutable and can't be changed in any case.

This way entire funds will be freezed in the contract forever.

Impact

• Likelihood: While it is important to consider that the Escrow account will most of the time handle stablecoins like USDT or USDC which have blocklist behaviour, So this issue will always remain a possibility, But with a very low likelihood of occurrence.

• Impact: Impact of this situation will be quite high as entire funds will be stuck in the contract forever.

Giving it medium severity because of High Impact and Low Likelihood.

Tools Used

Manual Review

Recommendations

2 Possible options I can think of.. Add a function with onlyArbiter access allowing it to either:

1. Change the arbiter address.

2. Only Decrease the i_arbiterFee amount.

As the second option will deincentivize arbiter, I feel first option will be more appropriate.