CodeHawks Escrow Contract - Competition Details
Cyfrin
Foundry
40,000 USDC
View results
Previous Next
Submission Details
Severity: medium

Buyer may send more funds to the seller than what they have agreed upon.

0xl3xx

Summary

The buyer sends more funds that what has been agreed upon with the seller when calling Escrow.initiateDispute() and Escrow.resolveDispute().

Vulnerability Details

When constructing an escrow funds must have been sent to the contract. This is checked in the constructor of the escrow that the balance of the contract is not lower than the price :

constructor(
uint256 price,
....
) {
....
if (tokenContract.balanceOf(address(this)) < price) revert Escrow__MustDeployWithTokenBalance();
....
}

Then upon receipt of the report the buyer calls confirmReceipt() and sends the total balance of the contract to the seller instead of the i_price of the escrow.

Also, if there is a dispute, when the arbiter calls resolveDispute() again the total balance is transferred to the seller instead of the price.

Impact

Buyer sends more funds to the seller that what they should send.

Tools Used

Manual code review.

Recommendations

Change the following lines like this:

function confirmReceipt() external onlyBuyer inState(State.Created) {
....
-- i_tokenContract.safeTransfer(i_seller, i_tokenContract.balanceOf(address(this)));
++ i_tokenContract.safeTransfer(i_seller, i_price);
++ i_tokenContract.safeTransfer(i_buyer, i_tokenContract.balanceOf(address(this)));
}
....
function resolveDispute(uint256 buyerAward) external onlyArbiter nonReentrant inState(State.Disputed) {
....
tokenBalance = i_tokenContract.balanceOf(address(this));
if (tokenBalance > 0) {
-- i_tokenContract.safeTransfer(i_seller, tokenBalance);
++ i_tokenContract.safeTransfer(i_seller, i_price);
++ i_tokenContract.safeTransfer(i_buyer, i_tokenContract.balanceOf(address(this)));
}
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.