Escrow does not support rebasing/fee-on-transfer tokens
Summary
The Escrow contract does not adequately support fee-on-transfer or rebasing tokens, which may cause an issue with the agreed-upon price between the buyer and the seller.
Vulnerability Details
In Escrow.sol:98, the Escrow.confirmReceipt function assumes the whole i_tokenContract.balanceOf(address(this)) is transferred on the execution, which may not be the case for fee-on-transfer/rebasing tokens.
This is problematic as, in the instance of a rebasing event (for example stETH, or other rebasing tokens), or if the contract contains fees (for example, USDT), the seller may not receive the whole agreed-upon price of the contract.
Another potential issue is a Denial of Service of the dispute resolution system. This may happen due to the fact that the i_arbiterFee variable will have already been set up to the non-rebasing value, or value without any fees. As a result, Escrow.resolveDispute may revert even if buyerAward is passed as 0, depending on how big was the rebase.
Impact
Fee-on-transfer or rebasing tokens are not supported by the Escrow contract. If they are used, funds may be lost.
Tools Used
Manual Review
Recommendations
To ensure the contract can support fee-on-transfer or rebasing tokens, consider implementing checks if any rebasing event happened and adjust the i_arbiterFee accordingly. Alternatively, if these tokens are not needed, properly document that only non-rebasing/non-fee-on-transfer tokens are supported.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.