CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Loss of Funds: Buyer can steal funds by setting themselves as the arbiter.

0xpathfindr

Summary

The contract EscrowFactory.sol does not check if the buyer address and the arbiter address are the same. The buyer can take advantage of disputes by resolving them in his/her favour.

Vulnerability Details

If the buyer creates an escrow contract with their address equal to arbiter address they can resolve the dispute giving them their initial tokens placed in the contract, as well as the assets sent by the seller involved in the dispute.

Impact

Loss of funds to the seller as they will not receive the funds they were expecting while attempting to resolve the dispute. As long as buyerAward > 0 and the award set is token Balance of the contract, the buyer will receive their initial deposit as well as the assets sent by the seller.

Tools Used

Manual review

Recommendations

Ensure the buyer is unable to take advantage of disputes by validating the did not set themselves as the arbiter in Esscow.sol
if (buyer == arbiter) revert();

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.