Seller can provide blacklisted address to hold Buyer hostage
Summary
The seller address can prevent recovery of tokens if they get blacklisted by popular contracts like USDC.
Vulnerability Details
Sellers and Buyers have the power to enter arbitration. Once in arbitration, an arbiter takes care of payouts. In case the buyer is not happy with the seller, an arbiter has the power to completely refund the buyer. This takes place in the following code snippet:
This requires every transaction to succeed. If the seller successfully gets blacklisted on the token contract or provides an already blacklisted address of some other user, they can prevent this refund to the buyer. This is because the transfer function of USDC does not allow transfers to blacklisted addresses. There is an if clause which bypasses the payment to the seller, but this can be skipped by making sure the contract is funded by atleast 1 wei more than the arbiter expects. This can be done by frontrunning arbiter transactions by transferring in USDC tokens from any non-blacklisted wallet.
A seller can give the buyer a blacklisted address for payment, and if the buyer does not check the address, their funds can be held hostage by the escrow contract. Thus this is classified as high severity.
Impact
Buyer funds can be held hostage by malicious seller
Tools Used
Manual review
Recommendations
Add all payments inside try-catch blocks.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.