CodeHawks Escrow Contract - Competition Details

Summary

Missing checks at Escrow contract creation.

Vulnerability Details

There are checks in the constructor of Escrow.sol to unsure certain inputs and avoid users input errors but some checks are missing:

• buyer can input his own address as arbitrer

• buyer can input arbiterFee = 0

• buyer can input his address as seller

Impact

• buyer can input his own address as arbitrer: if the buyer is malicious and seller did not pay attention to the event emit EscrowCreated(address(escrow), msg.sender, seller, arbiter); at Escrow contract creation, the buyer could manipulate the dispute system and never pay the seller for the work done.

• buyer can input arbiterFee = 0: with arbiterFee set to 0, the arbiter would have no incentive to spend time and resources on the dispute to resolve it and it would break the dispute system since only the arbiter is able to call resolveDispute() once initiateDispute() has been called.

• buyer can input his address as seller: if the user mistakenly inputs his address as the seller address at Escrow contract creation, it would still create the contract, but would be bad for the user experience as the user would lose the transaction gas for a now useless Escrow contract.

Tools Used

Manual review

Recommendations

Add the 3 checks in the Escrow.sol constructor and the related errors in IEscrow.sol:

Escrow.constructor:

• if (buyer == arbiter) revert Escrow__BuyerArbiterSameAddress();

• if (arbiterFee == 0) revert Escrow__ArbiterFeeZero();

• if (buyer == seller) revert Escrow__BuyerSellerSameAddress();

IEscrow.sol:

• error Escrow__BuyerArbiterSameAddress();

• error Escrow__ArbiterFeeZero();

• error Escrow__BuyerSellerSameAddress();