Summary

See Details

Vulnerability Details

The escrow smart contract does not have a time limit on how long funds can remain in the contract. This means that funds could potentially be locked up indefinitely.

For example, if a buyer and seller enter into an agreement and the buyer sends funds to the escrow contract, the seller may not release the funds even after the agreed-upon time period has passed. This could leave the buyer with no recourse and could potentially result in the loss of funds.

Impact

The impact of this vulnerability could be significant. It could lead to:

• Loss of funds for buyers

• Financial hardship for buyers

• Damage to the reputation of the escrow contract

• Decreased confidence in the use of smart contracts

Tools Used

Manual code review

Recommendations

The vulnerability could be mitigated by adding a time limit to how long funds can remain in the escrow contract. This time limit would need to be long enough to allow for legitimate disputes to be resolved, but it would also need to be short enough to prevent funds from being locked up indefinitely.

The vulnerability could also be mitigated by adding a withdrawal pattern to refund remaining funds if the dispute cannot be resolved. This withdrawal pattern would need to be triggered after a certain period of time, such as 30 days. If the dispute is not resolved within this time period, the funds would be automatically refunded to the buyer and seller.

Here is an example of a withdrawal pattern that could be used: