Cyfrin CodeHawks | #207 - BUYER/SELLER can call the function newEscrow() in EscrowFactory to selfAppoint them as the arbiter

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/Escrow.sol#L32C17-L32C17

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/EscrowFactory.sol#L20

Vulnerability details

In a typical escrow process the three parties involved are :a buyer, a seller, and an unbiased third party known as the arbiter or escrow agent. The role of the arbiter is crucial to maintain the fairness.However, in the EscrowFactory smart contract,that allows either the buyer or the seller to self-appoint themselves as the arbiter when calling the newEscrow() function. This situation poses a risk as it undermines the impartiality of the escrow process.

Impact

Allowing either the buyer or the seller to self-appoint themselves as the arbiter

Mitigation Steps

@Escrow.sol::constructor()

if(buyer == arbiter || seller == arbiter ) revert Escrow_InvalidArbiter();

CodeHawks Escrow Contract - Competition Details

BUYER/SELLER can call the function newEscrow() in EscrowFactory to selfAppoint them as the arbiter

Relevant GitHub Links

Vulnerability details

Impact

Mitigation Steps

Prize pool breakdown

Live

Judging

Appeals

Appeals Review

Rewards Distribution

FAQs