Summary

Buyer can make themselves arbiter or other bad address for seller or arbiter

Vulnerability Details

There is a known issue of zero address for arbiter which causes problems but its not only zero address that can cause these type of problems.There is nothing in creation of Escrow that prevents the buyer from inputing the following as arbiter address

1. Buyer can input their address as arbiter and seller misses this before Escrow created

2. Buyer can input an address not similar to msg.sender but an address they control and seller is not aware and thinks its fair arbiter

3. Buyer can input an address they know has lost keys, is not functional other than 0xdead and address(0)

4. Buyer can input incorrect arbiter address e.g when copying and pasting arbiter address etc

5. Genuined Arbiter address may no longer be under their control e.g lost keys

6. Buyer selects arbiter not favorable to seller e.g one they know, can control bribe offchain etc(not easy to control as known issue that arbiter is centralized) However in recommendation state that arbiter must be accepted by both parties. Arbiter can be selected randomly from a list of whitelisted arbiters.

Impact

Medium: Not vetting or checking arbiter for each Escrow can lead arbitration problems, unfairness, rechannelled funds to buyer unfairly etc
When inputting the arbiter address there is no check that it is an address that still has control of keys, an active address, a fair address, not controlled buy buyer, etc as there is no check on sanity for the arbiter address besides it not being address(0)
Buyer can even mistakenly put in arbiter address as seller and seller has no incentive to inform buyer of that mistake knowing it will benefit them in dispute stage

Tools Used

Manual Analysis

Recommendations

1. EscrowFactory.sol ensure buyer is not arbiter or seller
   if(msg.sender == arbiter ) revert EscrowFactory__BuyerCantBeArbiter();

2. EscrowFactory.sol ensure buyer is not seller
   if(msg.sender == seller ) revert EscrowFactory__SellerCantBeArbiter();

Buyer can bypass above by inputting address they control where seller has no idea it's not an independant arbiter therefore

3. Alternatively implement and check from a whitelist of arbiters on the Factory if arbiter is allowed

Even after all the above, the arbiter may have been functional but arbiter has since lost keys. Therefore a 2 step mechanism is needed to ensure arbiter is active, has keys and if needed is available to arbitrate, else there can never be any arbitration is arbiter address is faulty, non existence etc

Therefore,

4. It is recommended that arbiter signal they are in control of the address by maybe adding an arbiterInitiate function or flag to the Escrows that allow funds to be locked only if arbiter calls a certain function. A signal can also be implemented for the seller as well to signal agreement with selected arbiter this also additionally helps ensure seller is in control of address too so they get their funds in future

5. Another option to ensure safety, security and fairness in terms of arbiter address is maybe randomly selecting arbiter from a list of whitelisted arbiters when Escrow is created