The buyer can set arbiter as his friend and steal the price amount from the seller
Summary
In Escrow.sol, the buyer can set an optional arbiter with arbiterFee. The only check that exists for the fee is to be less than a price initialized. The problem is that every actor is untrusted in the blockchain and arbiter can easily be a friend of the buyer so the buyer can set arbiterFee close to 99% of the price.
Vulnerability Details
The current implementation of the contract allows buyer to set any arbiterFee, the only requirement for it to be less than a price. But its value can be close to the price meaning that, after the dispute, arbiter will get 99% (or slightly less) of the price and can even send 1% left to the buyer as buyerReward. After the dispute is resolved, arbiter and buyer can split the money. The inattentive auditor can look only at the price and not the arbiterFee and if the buyer initiates the dispute, he may lose all his price amount for the auditing.
Impact
High-risk as seller (auditor) may not get his funds for the audit.
Tools Used
Manual review.
Recommendations
arbiterFee shouldn't be arbitrary value set by the buyer who can potentially initiates the dispute where these fees will go to the arbiter. To mitigate the risk, it's recommended to set some fixed amount for the arbiterFee or make some check to make sure that arbiterFee is no more than some value (like, 5%) and not compare it to the price as in the current implementation.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.