Summary

There is no check that the buyer actually paid for the goods/services. The seller has to release the funds based solely on the buyer confirming receipt. And There is no check that the seller actually provided the goods/services before releasing the funds. The buyer could potentially confirm receipt fraudulently.

Vulnerability Details

The initiateDispute() function does not require the buyer or seller to provide any evidence to support their claim. This could make it difficult to resolve disputes if there is no evidence to support either side's claim.

The confirmReceipt() function does not check to see if the buyer has actually received the goods or services that they purchased. This could lead to a situation where the buyer confirms receipt of the goods or services even though they have not actually received them.

Impact

• Fraud: A malicious buyer could confirm receipt of the goods or services even though they have not actually received them. This would allow them to steal the funds from the seller without providing any compensation.

• Dispute resolution: If there is no evidence to support either side's claim, it could be difficult to resolve disputes. This could lead to a situation where the buyer and seller are both unhappy with the outcome.

• Loss of funds: If the buyer confirms receipt of the goods or services and the seller does not provide them, the buyer could lose their funds. This could happen even if the buyer has evidence that they did not receive the goods or services.

Tools Used

Manual code review

Recommendations

To mitigate these risks, the initiateDispute() function should require the buyer and seller to provide evidence to support their claim. The confirmReceipt() function should also check to see if the buyer has actually received the goods or services. This would help to ensure that the funds are only released to the rightful party.