40,000 USDC
View results
Submission Details
Severity: high

Loss of buyer funds with feeOnTransfer tokens

Summary

Some tokens charge fee on transfers. In case those kinds of tokens are used the "price" buyer sent to the predetermined address is not recoverable due to the Escrow contract deployment reverting.

Vulnerability Details

The escrow contract is created by CREATE2 opcode with a predetermined address through the function in EscrowFactory.sol.
The buyer sends the "price" to the predetermined address before the Escrow contract is created.
The constructor of Escrow.sol performs this check: if (tokenContract.balanceOf(address(this)) < price) revert Escrow__MustDeployWithTokenBalance();.
If the feeOnTransfer tokens are used this will revert since the balanceOf(address(this)) < price.
Previously sent funds are not recoverable due to the fact that the predetermined address is calculated with salt that includes the parameters "price, tokenContract, buyer, seller, arbiter, arbiterFee". Any change in these parameters cause creation of different address since these are in the constructor of the Escrow.sol not EscrowFactory.sol.

Impact

Total loss of the buyer funds, the amount of "price" sent to the predetermined address.

Tools Used

Manual review

Recommendations

There should be condition when the Escrow deployment fails the balance of predetermined address is refunded to the buyer or the protocol should clearly warn against the use of tokens with feeOnTransfer.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.