CodeHawks Escrow Contract - Competition Details

Summary

Unrestricted Buyer's Control on i_arbiterFee Hinders Seller's Dispute Initiatives and disincentivize Seller from initialing dispute.

Vulnerability Details

While deploying a new Escrow account, the value of arbiterFee is controlled by the Protocol (Buyer).

Link to code

The only condition for fee is that it should not be more than the total price of the Audit.

Also, whenever the state of the contract goes into Disputed state, Arbiter is guaranteed to be getting that fee because of the following line.

Link to code

So now consider the following situation:

1. Protocol makes the Escrow account with price = 1000 USDC and i_arbiterFee = 500 USDC.

2. Now, if in case the initiateDispute is called by anyone, the maximum final payout to be received by Auditor will be less than or equal to 500 USDC.

To visualize the impact for price = 1000 USDC :

Given this situation, Buyer is incentivized to put i_arbiterFee higher to have more power than seller and disincentive seller from calling initiateDispute as seller will lose majority of the price to arbiter only in case seller chooses to go that path which you can see in the table above.

Impact

Despite Buyer not confirming the Receipt and releasing the payment for longer duration, the Seller will be hesitated to initiateDispute because of losing the majority of his funds to arbiter. And eventually even if seller indeed go that route, Seller will lose majority of his/her funds for his/her honest work.

Tools Used

Manual Review

Recommendations

I would recommend to put a Cap on the Maximum Percentage of value (5%, 10% or max 20%) a Buyer can put as i_arbiterFee.