A malicious seller can reject arbitration via MEV
When Arbiter calls resolveDispute, buyerAward is the reward sent to Buyer.
The issue here is that resolveDispute always sends the remaining tokens to Seller, which allows a malicious Seller to reject the arbitration via MEV.
Consider the following scenario, where the total token in Escrow is 100000 USDC and the arbiterFee is 1000 USDC.
Seller defaults, Buyer initiates arbitration, and Arbiter decides to transfer all rewards to Buyer.
Seller adds himself to the USDC blacklist. (Or a malicious Seller can provide the USDC blacklist address at the beginning.)
Arbiter calls resolveDispute and buyerAward is 99000 USDC.
In general, since no USDC is sent to Seller, the transaction is executed successfully.
However, a malicious Seller can use MEV to send 0.01 USDC to Escrow so that resolveDispute sends 99000 USDC to the buyer, 1000 USDC to the Arbiter, and finally 0.01 USDC to the seller, and since Seller is in the USDC blacklist, the transaction will be revert.
Arbitration rejected, buyer's funds not returned
None
It is recommended to use buyerAwardPercent instead of buyerAward, when buyerAwardPercent is 100%, resolveDispute sends all balance minus arbiterFee to the Buyer.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.