Submission Details
Severity:
`Buyer` can be an `arbiter` leading to unfavorable disputes being resolved
Buyer can be an arbiter leading to unfavorable disputes being resolved
The contract's constructor currently allows an Escrow to be created with the buyer being the arbiter, there is no requirement for buyer != arbiter
constructor(
uint256 price,
IERC20 tokenContract,
address buyer,
address seller,
address arbiter,
uint256 arbiterFee
) {
if (address(tokenContract) == address(0)) revert Escrow__TokenZeroAddress();
if (buyer == address(0)) revert Escrow__BuyerZeroAddress();
if (seller == address(0)) revert Escrow__SellerZeroAddress();
if (arbiterFee >= price) revert Escrow__FeeExceedsPrice(price, arbiterFee);
if (tokenContract.balanceOf(address(this)) < price) revert Escrow__MustDeployWithTokenBalance();
i_price = price;
i_tokenContract = tokenContract;
i_buyer = buyer;
i_seller = seller;
i_arbiter = arbiter;
i_arbiterFee = arbiterFee;
}
https://github.com/Cyfrin/2023-07-escrow/tree/main/src/Escrow.sol#L32
As a result, if a dispute is initiated via initiateDispute() by a seller. It can lead to unfavorable disputes being resolved in the favour of the buyer due to the buyer being the arbiter.
Impact
Resolving disputes can be unfavourable to the seller as the buyer is also the arbiter
Recommendations
Require that the buyer cannot be the arbiter
Prize pool breakdown
Total prize
40,000 USDC
nSLOC
186215 USDC / LOC
37,000 USDC
3,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.