If the token used in the Escrow contract is a ERC20 with blacklist capabilities, it can broke the whole functionality of the contract in case where the one of the actors will get blacklisted, which will get the funds be stuck in the protocol.
There are 3 possible scenarios for this case:
Buyer
gets blacklisted after the escrow was created, confirmReceipt
will be working as normal, but in the case of a dispute where the seller didn't do his part of work, resolveDispute
would work only if the Arbiter
sets buyerAward
to 0, meaning to give everything beside the fees to the Seller
Seller
gets blacklisted which means that confirmReceipt
would not work, so the only way funds can be taken out of the contract is by creating a dispute and Arbiter
needs to set buyerAward
+ i_arbiterFee
to be equal to the total balance of the contract, so no amount will be left to transfer to the seller.
Arbiter
gets blacklisted, which is the worst of all because in the case of a dispute the funds will be stuck in the contract, since the only function callable in the Disputed
state is resolveDispute
, function which will revert all the time since i_arbiterFee
is an immutable variable so it can be changed.
Impact is a high one since the funds could be stuck in the contract without any way of retrieving them
Manual review
Implement a Pull over Push method, which is recommended in most of the cases, by saving the amounts that every actor need to get in some storage variables, and let any of them withdraw their amount from the contract, in that sense there is no way that all the funds gets stuck in the contract
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.