The Escrow contract does not adequately support fee-on-transfer or rebasing tokens, which may cause an issue with the agreed-upon price between the buyer and the seller.
In Escrow.sol:98
, the Escrow.confirmReceipt
function assumes the whole i_tokenContract.balanceOf(address(this))
is transferred on the execution, which may not be the case for fee-on-transfer/rebasing tokens.
This is problematic as, in the instance of a rebasing event (for example stETH, or other rebasing tokens), or if the contract contains fees (for example, USDT), the seller may not receive the whole agreed-upon price of the contract.
Another potential issue is a Denial of Service of the dispute resolution system. This may happen due to the fact that the i_arbiterFee
variable will have already been set up to the non-rebasing value, or value without any fees. As a result, Escrow.resolveDispute
may revert even if buyerAward
is passed as 0, depending on how big was the rebase.
Fee-on-transfer or rebasing tokens are not supported by the Escrow contract. If they are used, funds may be lost.
Manual Review
To ensure the contract can support fee-on-transfer or rebasing tokens, consider implementing checks if any rebasing event happened and adjust the i_arbiterFee
accordingly. Alternatively, if these tokens are not needed, properly document that only non-rebasing/non-fee-on-transfer tokens are supported.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.