Blacklist addresses maybe unable to receive transfers leads to fund token in the contract
Summary
Blacklist addresses maybe unable to receive transfers leads to fund token in the contract
Vulnerability Details
Addresses like i_buyer, i_seller or i_arbiter is set while Escrow is deployed and they suppose to receive transfer when escrow is confirmed or resolved. However, if one of these addresses is blacklisted AFTER THE DEPLOYMENT then escrow cannot be confirmed or resolved because system is unable to make the transfer
As i_tokenContract can be any ERC20 token, the token could implement blacklist feature (For eg USDC) to enable the token admin to blacklist certain address to perform or receive any transferred token.
Impact
If the i_buyer, i_seller or i_arbiter is blacklisted then the token will be stuck in the contract forever.
If i_seller gets blacklisted, system is unable to confirm the escrow.
If i_buyer or i_arbiter gets blacklisted, system is unable to resolve the escrow.
Tools Used
Manual
Recommendations
Create an escrow admin which is the contract deployer
Allow the escrow admin to reset i_buyer, i_seller or i_arbiter values
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.