40,000 USDC
View results
Submission Details
Severity: low
Valid

`Buyer` can be an `arbiter` leading to unfavorable disputes being resolved

Buyer can be an arbiter leading to unfavorable disputes being resolved

The contract's constructor currently allows an Escrow to be created with the buyer being the arbiter, there is no requirement for buyer != arbiter

constructor(
uint256 price,
IERC20 tokenContract,
address buyer,
address seller,
address arbiter,
uint256 arbiterFee
) {
if (address(tokenContract) == address(0)) revert Escrow__TokenZeroAddress();
if (buyer == address(0)) revert Escrow__BuyerZeroAddress();
if (seller == address(0)) revert Escrow__SellerZeroAddress();
if (arbiterFee >= price) revert Escrow__FeeExceedsPrice(price, arbiterFee);
if (tokenContract.balanceOf(address(this)) < price) revert Escrow__MustDeployWithTokenBalance();
i_price = price;
i_tokenContract = tokenContract;
i_buyer = buyer;
i_seller = seller;
i_arbiter = arbiter;
i_arbiterFee = arbiterFee;
}

https://github.com/Cyfrin/2023-07-escrow/tree/main/src/Escrow.sol#L32

As a result, if a dispute is initiated via initiateDispute() by a seller. It can lead to unfavorable disputes being resolved in the favour of the buyer due to the buyer being the arbiter.

Impact

Resolving disputes can be unfavourable to the seller as the buyer is also the arbiter

Recommendations

Require that the buyer cannot be the arbiter

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.