Problem Tokens e.g Callback,Pausable etc - Need Whitelist
Summary
There is no whitelist of tokens
Vulnerability Details
The known issues state that tokens with callbacks can DOS and each supported token vetted and ERC777 discarded
The above has the following problems
It is not clear if its only ERC777 tokens that are thought to callback as there are more
In the code there is mention of vetting or buyers and sellers ensuring they accept tokens that are okay, this is inadequate as it complicates the process, buyers and sellers may not be aware of these tokens etc
It is better to whitelist a set of tokens within the code from get go as this helps prevent dispute where the e.g seller may not like that token they agreed in first place is volatile and losing value and delay job or dispute etc
By implementing a whitelist mechanism of tokens in the contracts it helps in the following
Prioritize Well Known Reliable Stablecoins
Avoid scam coins, shitcoins, pretender coins e.g USDC named fake coin that seller may be fooled by
Avoid callback tokens other than ERC777 e.g ERC223, ERC1363, ERC667
Avoid tokens that can be controlled e.g ERC1400 permissioned addresses, ERC1644 forced transfers
Avoid Pausable Tokens e.g Pausable
Impact
Medium
Non stable coins can lose value leading to unsatisfied sellers
Scam coins can be used knowingly by buyer(seller) to pay seller
Callback coins can lead to DOS attacks
Controlled tokens may mean seller is blacklisted but was not aware so can not be paid by the coin they may have agreed but did not know they are blacklisted
Pausable tokens can prevent seller from being paid if payment happens after tokens have been paused
Tools Used
Manual Analysis
Recommendations
It is recommended scam coins, callback coins, controlled coins, pausable coin etc not be allowed e.g
It is recommended the contracts have a set of whitelisted coins acceptable to all parties or generally acceptable good tokens in EscrowFactory
e.g mapping(address token=> bool isAllowed) allowedTokens
Then check in Escrow creation that token allowed e.g
if (!allowedTokens[tokenContract]) {
revert EscrowFactory__TokenNotAllowed();
}
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.