40,000 USDC
View results
Submission Details
Severity: gas
Valid

`tokenContract`is always an unsafe input, for fairness, it is recommended to add a whitelist for token

Summary

As the code comment says: @dev There is a risk that if a malicious token is used, the dispute process could be manipulated.

I do not agree to hand over the legitimacy and security of the tokenContract to msg.sender. So what should the protocol do to limit.
tokenContractis always an unsafe input, for fairness, it is recommended to add a whitelist for token

Vulnerability Details

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/EscrowFactory.sol#L20

Impact

As the code comment says: @dev There is a risk that if a malicious token is used, the dispute process could be manipulated.

Tools Used

vs code

Recommendations

I think it's a design issue. tokenContractis always an unsafe input, for fairness, it is recommended to add a whitelist for token, and add a function to add token to whitelist by owner.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.