Summary

The contract system fails to properly handle rebasing tokens. The contract balance of a rebasing token can decrease between the time the escrow contract is deployed and the time a dispute is resolved. If the token balance decreases below the immutable arbiter fee, the resolveDispute function may fail, possibly permanently.

Vulnerability Details

The Escrow contract is not designed to handle tokens with rebasing functionality. If such a token is used in the contract, the token balance may decrease due to a rebase operation occurring between the escrow creation and the dispute resolution. The resolveDispute function checks whether the total fee (buyer award plus arbiter fee) exceeds the current token balance in the contract. If a token rebase reduces the balance below this total fee, the function will revert, and the escrow contract will be left in a disputed state indefinitely.

Severity

Medium due to high impact and low likelihood.

Impact

The impact of this vulnerability is high. If the escrow contract gets stuck in a disputed state, funds in the contract become frozen and inaccessible to all parties involved. This can lead to significant permanent loss of funds, potentially equivalent to the entire amount initially put into escrow.

Likelihood

The likelihood of this vulnerability occurring is low since rebasing tokens are less common, and the supply change may not be large enough.

Tools Used

Manual analysis.

Recommendations

One possible solution is to make the arbiter fee a percentage of the total amount in dispute, rather than a fixed amount. Alternatively, the contract could allow the arbiter to reduce the fee during dispute resolution, providing a way to resolve disputes even if the token balance decreases.