Additional tokens sent to the Escrow contract are sent to buyer
Summary
The Escrow.sol smart contract does not prevent the receipt of more tokens than the established price for a given transaction, which can cause the seller to receive the exceeding funds from the Escrow.
Vulnerability Details
In Escrow.sol:44, the smart contract does not prevent overpayment, allowing the contract to receive more tokens than the agreed-upon price. In case the confirmReceipt function is called by the buyer, it will transfer the entire balance of the contract to the seller. Therefore, if the contract's balance at this point is greater than the established transaction price, the seller will receive more than they should.
Impact
Informational. In case the Escrow contract receives more tokens than the agreed-upon price, the seller will receive more tokens than was originally agreed upon.
Tools Used
Manual Review
Recommendations
To mitigate this vulnerability, it is suggested to enforce stricter checks on the escrow contract's balance. The exceeding funds can be sent to the arbiter. Alternatively, proper documentation should be included on the contract to alert users of the current behavior.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.