40,000 USDC
Ended
View results
Submission Details
Severity: low
Valid

BUYER/SELLER can call the function newEscrow() in EscrowFactory to selfAppoint them as the arbiter

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/Escrow.sol#L32C17-L32C17

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/EscrowFactory.sol#L20

Vulnerability details

In a typical escrow process the three parties involved are :a buyer, a seller, and an unbiased third party known as the arbiter or escrow agent. The role of the arbiter is crucial to maintain the fairness.However, in the EscrowFactory smart contract,that allows either the buyer or the seller to self-appoint themselves as the arbiter when calling the newEscrow() function. This situation poses a risk as it undermines the impartiality of the escrow process.

Impact

Allowing either the buyer or the seller to self-appoint themselves as the arbiter

Mitigation Steps

@Escrow.sol::constructor()

if(buyer == arbiter || seller == arbiter ) revert Escrow_InvalidArbiter();

Support

FAQs

Can’t find an answer? Join our Discord or follow us on Twitter.

Cyfrin
Updraft
CodeHawks
Solodit
Resources