CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: low

Buyer can increase actual paid amount at any time

Shogoki

Summary

THe buyer (or anyone else) can increase the amount that is actually paid to the seller at any time after contract creation.

Vulnerability Details

When creating an escrow contract there is a price specified. The constructor checks if the contract is funded with enough tokens to pay the price to the seller.
However, when it comes to transfering the tokens to the seller, only the actual Token balance is used instead of the price.
Therefore anybody can increase the actual paid price by just transferring more Tokens to the contract, which is not intended.

Impact

actual paid price can be increased by anyone
paid price will differ from the price stored in the contract

Tools Used

Manual Review

Recommendations

Only transfer the agreed price to the seller.
If there is an excess amount it might be paid back to the buyer.

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.