CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: high

Buyer can always frontrun & grief Seller by always initiating dispute

n1punp

Summary

Seller can always frontrun & grief Buyer by always initiating dispute -- so the Seller receives less than what's expected, which could be as low as 0 (depending on the value of arbiterFee ).

Vulnerability Details

The attack vector is:

The Buyer can frontrun Seller's confirmReceipt transaction with initiateDispute --> putting the order state in dispute.
This means the Seller can get back at most price - arbiterFee instead of the full agreed price .

Impact

Seller can get grieved, especially if the escrow contract is used to settle non-atomic transactions, for example, resolving third-party trades. This means that the trade could have been successful externally (with the agreed price), but the Buyer can then grief the Seller into getting less -- potentially the Buyer could have colluded with the Arbiter to share the arbitrerFee.

Even if the Arbiter is honest, the arbiterFee is still collected.

Tools Used

Manual Review

Recommendations

Add a penalty for bad dispute initiated by the Buyer to disincentivize such behavior.

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.