CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

A malicious seller can always reject arbitration.

cccz

Summary

A malicious seller can reject arbitration via MEV

Vulnerability Details

When Arbiter calls resolveDispute, buyerAward is the reward sent to Buyer.
The issue here is that resolveDispute always sends the remaining tokens to Seller, which allows a malicious Seller to reject the arbitration via MEV.

function resolveDispute(uint256 buyerAward) external onlyArbiter nonReentrant inState(State.Disputed) {

uint256 tokenBalance = i_tokenContract.balanceOf(address(this));

uint256 totalFee = buyerAward + i_arbiterFee; // Reverts on overflow

if (totalFee > tokenBalance) {

revert Escrow__TotalFeeExceedsBalance(tokenBalance, totalFee);

}

s_state = State.Resolved;

emit Resolved(i_buyer, i_seller);

if (buyerAward > 0) {

i_tokenContract.safeTransfer(i_buyer, buyerAward);

}

if (i_arbiterFee > 0) {

i_tokenContract.safeTransfer(i_arbiter, i_arbiterFee);

}

tokenBalance = i_tokenContract.balanceOf(address(this));

if (tokenBalance > 0) {

i_tokenContract.safeTransfer(i_seller, tokenBalance);

}

Consider the following scenario, where the total token in Escrow is 100000 USDC and the arbiterFee is 1000 USDC.

Seller defaults, Buyer initiates arbitration, and Arbiter decides to transfer all rewards to Buyer.
Seller adds himself to the USDC blacklist. (Or a malicious Seller can provide the USDC blacklist address at the beginning.)
Arbiter calls resolveDispute and buyerAward is 99000 USDC.
In general, since no USDC is sent to Seller, the transaction is executed successfully.
However, a malicious Seller can use MEV to send 0.01 USDC to Escrow so that resolveDispute sends 99000 USDC to the buyer, 1000 USDC to the Arbiter, and finally 0.01 USDC to the seller, and since Seller is in the USDC blacklist, the transaction will be revert.

Impact

Arbitration rejected, buyer's funds not returned

Tools Used

None

Recommendations

It is recommended to use buyerAwardPercent instead of buyerAward, when buyerAwardPercent is 100%, resolveDispute sends all balance minus arbiterFee to the Buyer.

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.