CodeHawks Escrow Contract - Competition Details
Cyfrin
Foundry
40,000 USDC
View results
Previous Next
Submission Details
Severity: medium

Lack of Mutually Agreeable Cancel Function

pengun

Summary

There could be scenarios in which both the buyer and seller agree to cancel the transaction. For instance, situations where the auditor cannot perform the audit as expected, or when there is a need to adjust the price due to changes in the audit scope. Currently, the escrow contract does not support a feature for mutual cancellation of the transaction.

Vulnerability Details

There are cases (e.g. audit contest in Sherlock) that scope of the audit changes during the contest, leading to modifications in the pool size. In these cases, the buyer and seller need an option to cancel the transaction by mutual agreement, which will allow the buyer to create a new escrow.

Impact

To withdraw funds, the buyer must pass them to the seller and wait for the seller to send them back. This is only possible if the buyer fully trusts the seller.

Tools Used

VS Code

Recommendations

Add a mutual cancellation feature to the escrow contract.

function requestCancel() extenal onlyBuyerOrSeller() inState(State.Created) {
(msg.sender == i_buyer) ? s_cancel_buyer = true : s_cancel_seller = true;
}
function cancel() external onlyBuyer inState(State.Created) {
if(!s_cancel_buyer || !s_cancel_seller) revert Escrow__CannotCancel();
uint256 tokenBalance = i_tokenContract.balanceOf(address(this));
if (tokenBalance > 0) {
i_tokenContract.safeTransfer(i_buyer, tokenBalance);
}
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.