Summary

In Escrow.sol, the buyer can set an optional arbiter with arbiterFee. The only check that exists for the fee is to be less than a price initialized. The problem is that every actor is untrusted in the blockchain and arbiter can easily be a friend of the buyer so the buyer can set arbiterFee close to 99% of the price.

Vulnerability Details

The current implementation of the contract allows buyer to set any arbiterFee, the only requirement for it to be less than a price. But its value can be close to the price meaning that, after the dispute, arbiter will get 99% (or slightly less) of the price and can even send 1% left to the buyer as buyerReward. After the dispute is resolved, arbiter and buyer can split the money. The inattentive auditor can look only at the price and not the arbiterFee and if the buyer initiates the dispute, he may lose all his price amount for the auditing.

Impact

High-risk as seller (auditor) may not get his funds for the audit.

Tools Used

Manual review.

Recommendations

arbiterFee shouldn't be arbitrary value set by the buyer who can potentially initiates the dispute where these fees will go to the arbiter. To mitigate the risk, it's recommended to set some fixed amount for the arbiterFee or make some check to make sure that arbiterFee is no more than some value (like, 5%) and not compare it to the price as in the current implementation.