CodeHawks Escrow Contract - Competition Details
Cyfrin
Foundry
40,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

The arbiter can also be the buyer because of the lack of check

peanuts

Summary

In EscrowFactory.sol, there is no check that the creator of the escrow is not the arbiter as well. If a seller is misinformed or does not do proper due dilligence, then the buyer can manipulate the escrow service to his favour

Vulnerability Details

In EscrowFactory.newEscrow(), the buyer is the one that deposits the downpayment and creates the escrow contract. He also input the seller address and the arbiter address.

function newEscrow(
uint256 price,
IERC20 tokenContract,
address seller,
address arbiter,
uint256 arbiterFee,
bytes32 salt
) external returns (IEscrow) {
address computedAddress = computeEscrowAddress(
type(Escrow).creationCode,
address(this),
uint256(salt),
price,
tokenContract,
msg.sender,
seller,
arbiter,
arbiterFee
);
tokenContract.safeTransferFrom(msg.sender, computedAddress, price);

Right now, there is no check that the arbiter cannot be the buyer. The buyer can input his own address as the arbiter and trick the seller into thinking that he got an impartial 3rd party to oversee the escrow.

Impact

If the buyer is also the arbiter, then he can use this as an advantage over the seller (by calling dispute after the job is completed and keeping his money)

Tools Used

Manual Review

Recommendations

Add a simple check in newEscrow() to mitigate such issues, eg

require(msg.sender != arbiter);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.