CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Potential Risk of Funds Trapped due to USDC Token Blacklisting

polaris_tow

Summary

If the recipient of the token is blacklisted by the USDC token, this could result in funds being trapped.

Vulnerability Details

The USDC token is within the scope of the contract, so let's take a look at the following code:

/// @inheritdoc IEscrow

function resolveDispute(uint256 buyerAward) external onlyArbiter nonReentrant inState(State.Disputed) {

uint256 tokenBalance = i_tokenContract.balanceOf(address(this));

uint256 totalFee = buyerAward + i_arbiterFee; Reverts on overflow

if (totalFee > tokenBalance) {

revert Escrow__TotalFeeExceedsBalance(tokenBalance, totalFee);

}

s_state = State.Resolved;

emit Resolved(i_buyer, i_seller);

if (buyerAward > 0) {

i_tokenContract.safeTransfer(i_buyer, buyerAward);

}

if (i_arbiterFee > 0) {

i_tokenContract.safeTransfer(i_arbiter, i_arbiterFee);

}

tokenBalance = i_tokenContract.balanceOf(address(this));

if (tokenBalance > 0) {

i_tokenContract.safeTransfer(i_seller, tokenBalance);

}

In general, the resolveDispute function is a crucial part of the contract that is responsible for resolving disputes and distributing tokens. It ensures that under specific conditions, the buyer and arbiter receive the corresponding token rewards as per the agreement, while also ensuring that the seller receives the remaining tokens.

If the seller (seller) is added to the blacklist of USDC, it will result in all transfer operations in the resolveDispute function encountering issues. This could trap funds within the contract and cause financial losses to all members involved in the contract.
https://github.com/Polaristow/weird-erc20#tokens-with-blocklists

Impact

Causing funds to be trapped and financial losses.

Tools Used

Manual Review

Recommendations

Consider storing the token amount in a variable and allowing the recipient to claim it later.

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.