CodeHawks Escrow Contract - Competition Details
Cyfrin
Foundry
40,000 USDC
View results
Previous Next
Submission Details
Severity: medium

[M-01] Buyer can grief payment of arbiter fee

0xnevi

Impact

Escrow.sol#L50

constructor(
uint256 price,
IERC20 tokenContract,
address buyer,
address seller,
address arbiter,
-> uint256 arbiterFee
) {
if (address(tokenContract) == address(0)) revert Escrow__TokenZeroAddress();
if (buyer == address(0)) revert Escrow__BuyerZeroAddress();
if (seller == address(0)) revert Escrow__SellerZeroAddress();
if (arbiterFee >= price) revert Escrow__FeeExceedsPrice(price, arbiterFee);
if (tokenContract.balanceOf(address(this)) < price) revert Escrow__MustDeployWithTokenBalance();
i_price = price;
i_tokenContract = tokenContract;
i_buyer = buyer;
i_seller = seller;
i_arbiter = arbiter;
/// @audit buyer decides arbiter fee
-> i_arbiterFee = arbiterFee;
}

Instead of allowing buyer to control arbiter fee on deployment, consider implementing a fixed % of fee extracted from i_price when arbiter is required to resolve disputes. If not it can lead to the following scenarios:

  1. If a dispute is initiated by seller, and arbiter sides with seller, he will be forced to resolve dispute and send the unagreed price of tokens to seller, leading to arbiter receiving no/lesser fees and seller being under-compensated for his work.


  1. The same case occurs when arbiter agrees with buyer and resolves dispute to send back funds escrowed to buyer, in which he will receive no/lesser fees for resolving dispute. Although in this case, arbiter has the power to withhold fees from buyer.

Tools Used

Manual Analysis

Recommendation

Consider implementing a fixed percentage for arbiter fee extracted from i_price and computed within the constructor.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.