CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Fixed `i_arbiterFee` can prevent payment

0xdeadbeef

Summary

i_arbiterFee is a fixed value and can brick payment in resolution of disputes if the payment token has a rebasing balance.
Instead, i_arbiterFee should be a percentage and should the actual fee should be based on the current balance of the contract.

Vulnerability Details

function resolveDispute(uint256 buyerAward) external onlyArbiter nonReentrant inState(State.Disputed) {

uint256 tokenBalance = i_tokenContract.balanceOf(address(this));

uint256 totalFee = buyerAward + i_arbiterFee; // Reverts on overflow

if (totalFee > tokenBalance) {

revert Escrow__TotalFeeExceedsBalance(tokenBalance, totalFee);

}

s_state = State.Resolved;

emit Resolved(i_buyer, i_seller);

if (buyerAward > 0) {

i_tokenContract.safeTransfer(i_buyer, buyerAward);

}

if (i_arbiterFee > 0) {

i_tokenContract.safeTransfer(i_arbiter, i_arbiterFee);

}

tokenBalance = i_tokenContract.balanceOf(address(this));

if (tokenBalance > 0) {

i_tokenContract.safeTransfer(i_seller, tokenBalance);

}

As can be seen above, there are three values that are sent:

buyerAward- controlled by the arbiter, the refund that the buyer will receive
i_arbiterFee - predefined fixed value that the arbiter will receive
tokenBalance - the remaining of the the contract will be sent to the seller

in case i_tokenContract is a token that has a rebasing balance. i_arbiterFee can be bigger then the current balance and resolveDispute will revert in the following statement

if (totalFee > tokenBalance) {

revert Escrow__TotalFeeExceedsBalance(tokenBalance, totalFee);

}

Note that it is popular to use rebasing tokens. Additionally, it is common that projects (buyers) will request the payouts in their own token (which can be rebasing).

Impact

Funds can be locked in the Escrow contract due to rebasing

Tools Used

Manual

Recommendations

Instead of setting a fixed i_arbiterFee either calculate the percentage at the escrow deployment or set the percentage directly.
This will also require to change resolveDispute to send a percentage of the balance to arbiter instead of a fixed payment

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.