No need to retrieve the token balance twice in `Escrow.resolveDispute`
Summary
In the resolveDispute function, the token balance of the smart contract is retrieved twice. However, this redundant action is unnecessary, and the objective of transferring the token leftovers to the buyer can be achieved in a more cost-effective manner in terms of gas costs.
Vulnerability Details
In the resolveDispute function, the token balance is initially retrieved to ensure that the totalFee (seller & arbiter) does not exceed the contract's token balance.
Subsequently, the token balance is retrieved again to send the "leftovers" to the buyer. However, it is possible to achieve the same logic more efficiently by calling the ERC20.balanceOf function only once.
This optimization eliminates the need for an additional retrieval, streamlining the process and reducing gas costs.
Impact
Save gas anytime a dispute is being resolved.
Tools Used
VSCode
Recommendations
Instead of retrieving the balance again at the end of the resolveDispute function, you can implement the following approach:
The possibility of an underflow occurring in the leftovers calculation is eliminated, as we have already ensured that tokenBalance >= totalFee at the beginning of the function.
This initial validation guarantees that there will be sufficient tokens to cover the totalFee, thus preventing any potential underflow issues.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.