CodeHawks Escrow Contract - Competition Details
Cyfrin
Foundry
40,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

No fallback mechanism for unresolved disputes - lead to loss of funds

0xdeadbeef

Summary

The escrow puts all the trust in the arbiter to resolve disputes.
However, there can be many reasons where the arbiter is unresponsive and cannot fulfill a dispute leading to loss of funds

Vulnerability Details

Currently, only the arbiter has the ability to resolveDispute and refund the buyer with their funds (minus fee).

function resolveDispute(uint256 buyerAward) external onlyArbiter nonReentrant inState(State.Disputed)

While the arbiter is TRUSTED to perform not maliciously and according to the project -

Consider a scenario where a buyer uses the Escrow with a seller for a big audit project. After some time, the arbiter cannot perform transaction for any reason such as:

  • The arbiter lost its private key

  • The arbiter got blacklisted in the tokenContract

  • The arbiter is legally accused and cannot perform transactions

  • The arbiter bankrupts and closes the company

In such case, the seller is highly likely not to perform the audit or only partially complete it.
The buyer will then not be able to receive their funds back.

Impact

Loss of funds

Tools Used

Manual

Recommendations

As part of the terms, add an expiration time for the escrow that when hit an agreed "strategy" will be executed.
A strategy can look like:

  • FULL_REFUND (refund all funds back to the buyer)

  • SPLIT_PAYMENT (split the locked funds between the buyer and the seller)

This should be executed only when a predefined time has passed since the escrow has gone into a Disputed state

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.