Dispute initiation can always be frontrunned by the buyer
Summary
A dispute can be initiated either by the seller or the buyer. Dispute can only be called in Created state. But the state can be immediately changed to Confirmed by the buyer, not allowing the seller to dispute anything.
Vulnerability Details
Because there is no delay between creating the Escrow contract and being able to call confirmReceipt, the buyer can immediately change the state to Confirmed and transfer the tokens to the seller. What this means is that a dispute initiation by the seller can always be frontrunned by the buyer.
Seller calls
initiateDisputeBuyer sees tx in the mempool and frontruns it with
confirmReceiptThe
initiateDisputewill fail because we're no longer in theCreatedstate.
Impact
The buyer can ALWAYS frontrun an initiateDispute by the seller. This renders the capacity of the seller calling initiateDispute useless, since it only succeeds if the buyer actually wants it (i.e. doesn't frontrun it).
Tools Used
Manual review.
Recommendations
There should be a time separation either between Escrow contract creation and confirmReceipt, or some other thing that essentially provides power for the seller to actually dispute something even if the buyer doesn't want it.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.