CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: high

Buyer can collude with Arbiter so Seller get nothing (0)

n1punp

Summary

Buyer can collude with Arbiter so Seller get nothing (0)

Vulnerability Details

The Buyer can collude with the Arbiter in the resolveDispute process (set buyerAward = price - arbiterFee) --> this means the Seller will get 0 out of it, and the Buyer will get price - arbiterFee , which can be shared with the Arbiter as incentive to pull this off.

To make the attack happen, the Buyer just needs to initiateDispute and colludes with the Arbiter to resolve the dispute dishonestly (and share the rewards)

Impact

Seller (auditors) may not get paid.

Tools Used

Manual Review

Recommendations

Add enough incentive for the Arbiter to not behave dishonestly (if you think the Arbiter is fully trusted, then we shouldn't need this escrow contract at all and just let Arbiter decide who gets what), OR
Add enough penalty in case the Buyer misbehave, OR
Put the disputed tokens in Timelock contract, where withdrawals are delayed, and let the governance or the DAO vote in case some dishonest things happened.

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.