40,000 USDC
View results
Submission Details
Severity: medium
Valid

Potential Risk of Funds Trapped due to USDC Token Blacklisting

Summary

If the recipient of the token is blacklisted by the USDC token, this could result in funds being trapped.

Vulnerability Details

The USDC token is within the scope of the contract, so let's take a look at the following code:

/// @inheritdoc IEscrow
function resolveDispute(uint256 buyerAward) external onlyArbiter nonReentrant inState(State.Disputed) {
uint256 tokenBalance = i_tokenContract.balanceOf(address(this));
uint256 totalFee = buyerAward + i_arbiterFee; Reverts on overflow
if (totalFee > tokenBalance) {
revert Escrow__TotalFeeExceedsBalance(tokenBalance, totalFee);
}
s_state = State.Resolved;
emit Resolved(i_buyer, i_seller);
if (buyerAward > 0) {
i_tokenContract.safeTransfer(i_buyer, buyerAward);
}
if (i_arbiterFee > 0) {
i_tokenContract.safeTransfer(i_arbiter, i_arbiterFee);
}
tokenBalance = i_tokenContract.balanceOf(address(this));
if (tokenBalance > 0) {
i_tokenContract.safeTransfer(i_seller, tokenBalance);
}
}

In general, the resolveDispute function is a crucial part of the contract that is responsible for resolving disputes and distributing tokens. It ensures that under specific conditions, the buyer and arbiter receive the corresponding token rewards as per the agreement, while also ensuring that the seller receives the remaining tokens.

If the seller (seller) is added to the blacklist of USDC, it will result in all transfer operations in the resolveDispute function encountering issues. This could trap funds within the contract and cause financial losses to all members involved in the contract.
https://github.com/Polaristow/weird-erc20#tokens-with-blocklists

Impact

Causing funds to be trapped and financial losses.

Tools Used

Manual Review

Recommendations

Consider storing the token amount in a variable and allowing the recipient to claim it later.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.