Summary

Some tokens like USDC track blacklisted addresses and forbids transferring from/to them. If seller or arbiter is blacklisted, will be problems with getting tokens out of Escrow or even to getting them out at all.

Vulnerability Details

Some tokens implement functionality to blacklist addresses. When address is blacklisted by USDC contract, you can't transfer from or to them. Included parties might not be aware of it and there is no check in the contract either. This will cause issues in Escrow contract in the following scenarios:

1. Seller is blacklisted. Buyer won't be able to call confirmReceipt because it will be reverted. Tokens can still be obtained through dispute using buyerAward. Tokens won't get directly to seller in this case.

2. Arbiter is blacklisted and arbiterFee isn't 0. When dispute is opened there is no way to resolve it because you can't send all tokens using buyerAward and it will revert when contract tries to transfer tokens to arbiter. If no dispute is started, tokens can be send out through confirmReceipt.

3. Both seller and arbiter are blacklisted and arbiterFee isn't 0. Tokens are stuck in Escrow contract in the worst-case scenario. Neither confirmReceipt nor resolveDispute will work.

I am not worried about buyer being blacklisted because the contract wouldn't deploy in this case.

Impact

When Escrow contract uses token like USDC and participants are unaware of their addresses being blacklisted, it will cause various problems with getting tokens out of Escrow contract. Tokens will be stuck in the contract in the worst-case scenario.

Tools Used

Manual review

Recommendations

Check if addresses are blacklisted in the constructor and revert if they are. I would suggest not to create Escrow when one of addresses is blacklisted.