Summary

If the escrow is disputed, the only address that is able to call the contract to release the funds is the arbiter. In case the address of the arbiter is wrong the funds will be stuck in the contract

Vulnerability Details

See summary

Impact

The funds will be stuck and neither the buyer can get them back nor they can be paid out to the seller

Tools Used

Manual review

Recommendations

Add an extra step to the escrow process where buyer and seller need to confirm that the parameters of the escrow are right. This way it is also made sure that the seller address is the correct one and the seller can/needs to double check if the escrow was set up the right way (with the right amount and token and with the right arbiter address and arbiter fee). As long as one of both parties have not confirmed the parameters, the buyer should still be able to withdraw the tokens from the contract (maybe with the permission of the seller to prevent the seller to confirm last and before conformation withdraw the tokens from the contract). Since the escrow contract will be deployed on low cost EVM chains, the conformations will not cost very much but there will be an extra security step to prevent the loss of, most of the time, several thousands of USD in tokens