Summary

Without the arbiter, there is no way to resolve disputes or to (partially) cancel the escrow, even if both parties aggree.

Vulnerability Details

When the buyer creates a new escrow contract he puts the amount he is willing to pay to the seller into the contract. Also he can define an arbiter to resolve disputes and/or (partially) cancel the escrow. The arbiter is incentivices by agiven arbiter Fee.

It is worth noting, that setting an arbiter is optional, so there is the possibility that no arbiter is configured for an escrow.

Now it could occure that there is an "dispute" between the 2 parties, but they do both agree on a solution.
Example could be, the auditor already delivered a part, but cannot deliver the full requested audit because of personal reasons. Buyer and seller could simply agree on a partial cancel of the escrow (where the buyer gets only a part of the money).

However there if there is no arbiter configured there is no way for them to do this in a trustless way.

Moreover, even if there is an arbiter configured, they would have to pay him the arbiter fee, even if they did not really need him, as they both agreed on the terms somehow.
On top of that they do have to trust the arbiter, that he excetues the dispute with the aggreed terms.

Impact

• Possible Lock of Funds: No way to (partially) cancel the escrow/resolve disputes even if both parties agree, if theres no arbiter set.

• Unncessary loss of arbiter fee in case a (partial) cancel/dispute resolve is required, even if both parties agree.

• Unneccessary Trust required to the arbiter, even if both parties can agree on a solution.

Tools Used

• Neovim

• Manual Code Review

Recommendations

There should be a 2 step way to resolve disputes by the buyer and seller alone.