Funds can be stuck if the escrow is disputed and the address of the `arbiter` is wrong
Summary
If the escrow is disputed, the only address that is able to call the contract to release the funds is the arbiter. In case the address of the arbiter is wrong the funds will be stuck in the contract
Vulnerability Details
See summary
Impact
The funds will be stuck and neither the buyer can get them back nor they can be paid out to the seller
Tools Used
Manual review
Recommendations
Add an extra step to the escrow process where buyer and seller need to confirm that the parameters of the escrow are right. This way it is also made sure that the seller address is the correct one and the seller can/needs to double check if the escrow was set up the right way (with the right amount and token and with the right arbiter address and arbiter fee). As long as one of both parties have not confirmed the parameters, the buyer should still be able to withdraw the tokens from the contract (maybe with the permission of the seller to prevent the seller to confirm last and before conformation withdraw the tokens from the contract). Since the escrow contract will be deployed on low cost EVM chains, the conformations will not cost very much but there will be an extra security step to prevent the loss of, most of the time, several thousands of USD in tokens
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.