CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: high

The Seller can collude with the Arbiter to resolve dispute dishonestly (Buyer can get 0)

n1punp

Summary

The Seller can collude with the Arbiter to resolve dispute dishonestly (Buyer can get 0, and the Seller & Arbiter can share the whole amount).

Vulnerability Details

resolveDispute allows the Arbiter to choose how much the Buyer is going to get. This means it's possible to choose buyerAward to 0 (Buyer gets nothing) --> In this case, the Arbiter gets arbiterFee and the Seller gets price - arbiterFee , which can be shared amongst the Arbiter and the Seller later on.

To make this attack happen, the Seller can frontrun any Buyer's attempt to confirmReceipt by initiating the dispute.

Impact

Buyer can get grieved by the collusion between the Arbiter and the Seller -- this can especially be bad for the Buyer, if this escrow is being used to settle external trades, and the external trades have already been settled.

Tools Used

Manual Review

Recommendations

Ensure that the Arbiter cannot collude with the Seller, for example, add delays to token transfers & withdrawals in the dispute, so the governance or the DAO can seize funds from these bad actors.

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.