Summary

the issue arises if the buyer never calls the confirmReceipt or initiateDispute functions.

Vulnerability Details

The Escrow.sol contract relies on the buyer to either confirm the receipt of the service by calling confirmReceipt or initiate a dispute by calling initiateDispute. However, there is no mechanism in place to handle the scenario where the buyer does not call either of these functions. This could lead to funds being locked in the contract indefinitely.

Impact

If the buyer does not interact with the contract after the creation of the escrow, the funds locked in the contract would be inaccessible. This could lead to loss of funds for the seller, who would not be able to access the payment for their services.

Code Snippet

The relevant code snippets are the confirmReceipt and initiateDispute functions in the Escrow.sol contract:

Tools Used

Manual code review

Recommendations

To mitigate this issue, a timeout mechanism could be implemented. If the buyer does not confirm receipt or initiate a dispute within a certain timeframe, the funds could be automatically transferred to the seller. This would prevent funds from being locked in the contract indefinitely. Alternatively, a mechanism could be implemented to allow the seller to cancel the transaction after a certain period of inactivity from the buyer.