CodeHawks Escrow Contract - Competition Details
Cyfrin
Foundry
40,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`initiateDispute()` check if `i_arbiter == address(0)` but when create Escrow does not check

Bughunter101

Summary

initiateDispute() check if i_arbiter == address(0) but when create Escrow does not check.
So when sender forget add i_arbiter when create Escrow, it causes buyers to only perform confirmations and not be able to add disputes. I think this is unfair

Vulnerability Details

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/Escrow.sol#L103

As we can see, it does not check i_arbiter == address(0) when create the Escrow

constructor(
uint256 price,
IERC20 tokenContract,
address buyer,
address seller,
address arbiter,
uint256 arbiterFee
) {
if (address(tokenContract) == address(0)) revert Escrow__TokenZeroAddress();
if (buyer == address(0)) revert Escrow__BuyerZeroAddress();
if (seller == address(0)) revert Escrow__SellerZeroAddress();
if (arbiterFee >= price) revert Escrow__FeeExceedsPrice(price, arbiterFee);
if (tokenContract.balanceOf(address(this)) < price) revert Escrow__MustDeployWithTokenBalance();
i_price = price;
i_tokenContract = tokenContract;
i_buyer = buyer;
i_seller = seller;
i_arbiter = arbiter;//@audit
i_arbiterFee = arbiterFee;
}

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/Escrow.sol#L49

Impact

When sender forget add i_arbiter when create Escrow, it causes buyers to only perform confirmations and not be able to add disputes, this is unfair

Tools Used

vs code

Recommendations

I think it's a design issue. A state should be added when creating Escrow to confirm whether the msg.sender really does not need an arbitrator

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.