Summary

The vulnerability in the escrow contract occurs when the addresses of the buyer, seller, and arbiter are set to the same. This results in a lack of an impartial arbiter, compromising the fairness and security of the escrow arrangement.

Vulnerability Details

In the Escrow contract, during deployment, there is a missing validation check to ensure that the addresses of the buyer, seller, and arbiter are unique. As a result, if these addresses are set to the same value, the contract proceeds without detecting the conflict of interest.

Here's the test suit:

Impact

The impact of this vulnerability is significant. When all roles have the same address, there is no neutral party to mediate disputes between the buyer and seller. This can lead to conflicts, biased decisions, and potential misuse of power, ultimately jeopardizing the funds and assets involved in the transaction. The lack of an impartial arbiter also hinders proper dispute resolution, leaving both parties vulnerable to fraud and unfair practices.

Tools Used

Manual Review

Recommendations

To address this vulnerability, it is crucial to add a validation check during contract deployment to ensure that the buyer, seller, and arbiter addresses are unique. By enforcing this requirement, the escrow contract can maintain the impartiality of the arbiter and provide a fair and secure environment for conducting transactions. Additionally, users and developers should exercise caution when deploying escrow contracts and avoid using the same address for multiple roles to mitigate the risks associated with this vulnerability.

We can add the if statement to check that all address are unique: