Loss of buyer funds with feeOnTransfer tokens
Summary
Some tokens charge fee on transfers. In case those kinds of tokens are used the "price" buyer sent to the predetermined address is not recoverable due to the Escrow contract deployment reverting.
Vulnerability Details
The escrow contract is created by CREATE2 opcode with a predetermined address through the function in EscrowFactory.sol.
The buyer sends the "price" to the predetermined address before the Escrow contract is created.
The constructor of Escrow.sol performs this check: if (tokenContract.balanceOf(address(this)) < price) revert Escrow__MustDeployWithTokenBalance();.
If the feeOnTransfer tokens are used this will revert since the balanceOf(address(this)) < price.
Previously sent funds are not recoverable due to the fact that the predetermined address is calculated with salt that includes the parameters "price, tokenContract, buyer, seller, arbiter, arbiterFee". Any change in these parameters cause creation of different address since these are in the constructor of the Escrow.sol not EscrowFactory.sol.
Impact
Total loss of the buyer funds, the amount of "price" sent to the predetermined address.
Tools Used
Manual review
Recommendations
There should be condition when the Escrow deployment fails the balance of predetermined address is refunded to the buyer or the protocol should clearly warn against the use of tokens with feeOnTransfer.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.