Summary

A dispute can be initiated either by the seller or the buyer. Dispute can only be called in Created state. But the state can be immediately changed to Confirmed by the buyer, not allowing the seller to dispute anything.

Vulnerability Details

Because there is no delay between creating the Escrow contract and being able to call confirmReceipt, the buyer can immediately change the state to Confirmed and transfer the tokens to the seller. What this means is that a dispute initiation by the seller can always be frontrunned by the buyer.

1. Seller calls initiateDispute

2. Buyer sees tx in the mempool and frontruns it with confirmReceipt

3. The initiateDispute will fail because we're no longer in the Created state.

Impact

The buyer can ALWAYS frontrun an initiateDispute by the seller. This renders the capacity of the seller calling initiateDispute useless, since it only succeeds if the buyer actually wants it (i.e. doesn't frontrun it).

Tools Used

Manual review.

Recommendations

There should be a time separation either between Escrow contract creation and confirmReceipt, or some other thing that essentially provides power for the seller to actually dispute something even if the buyer doesn't want it.