Summary

Funds may be forever locked in the Escrow smart contract in case the Arbiter does not finalize a dispute, as neither the buyer nor the seller can "rollback" a Disputed state to the previous Created state.

Vulnerability Details

In Escrow.sol:109, in case the Arbiter does not resolve a dispute, all funds from the contract will be locked forever, as there is no way to withdraw from the escrow in case the state is Disputed. This might be the case, for example, in the event of loss of keys.

The README.md project documentation states that the Arbiter is a "trusted actor who can resolve disputes between the Buyer and Seller". Even then, it is possible that after a dispute is started, they may not be able, because of unforeseen circumstances, to call Escrow.resolveDispute, and even if the seller and the buyer agree off-chain on a mutual split of funds, they won't be able to get back their funds.

Impact

In case the Arbiter is not able to resolve a dispute, funds will be locked forever for both the buyer and the seller in the smart contract.

Tools Used

Manual Review

Recommendations

Some options are possible to mitigate this issue.

1. A timelock can be implemented so that if the dispute resolution mechanism takes more than a predefined amount of time, the funds are automatically sent to a predefined split to the buyer and seller (these parameters can be set on deployment time).

2. Another option is that, after the timelock, both the buyer and the seller can choose another arbiter (using signed messages).

3. Another option is that, after the timelock, the contract can be reset to Created state, so that the seller and buyer can mutually discuss off-chain what is the best course of action.