Summary

The newEscrow function in the EscrowFactory contract assumes that the balanceOf function of the provided ERC20 token contract will behave as expected. However, if a malicious or non-standard ERC20 token is used, it could potentially manipulate the state of the escrow contract, leading to unexpected behavior.

Vulnerability Details

The newEscrow function is designed to create a new instance of the Escrow contract. It accepts several parameters, including a tokenContract parameter that represents the ERC20 token contract to be used for the transaction. The function calls the balanceOf method of this contract to check the balance of the new escrow contract. However, there is no explicit check in the function to ensure that the balanceOf function of the provided ERC20 token contract behaves as expected. If a non-standard or malicious ERC20 token contract is used, it could potentially manipulate the state of the escrow contract.

Code Snippet

Impact

If a malicious or non-standard ERC20 token contract is used, it could potentially manipulate the state of the escrow contract. This could lead to unexpected behavior, such as the balance of the escrow contract not being correctly reflected, or the balance of the escrow contract being manipulated. This could potentially result in a loss of funds for the buyer or the seller, and could undermine trust in the platform.

Tools Used

Manual code review

Recommendations

To mitigate this potential issue, it is recommended to add additional checks in the newEscrow function to ensure that the balanceOf function of the provided ERC20 token contract behaves as expected. This could be implemented by adding a require statement after the safeTransferFrom call, like so:

This would ensure that the correct amount of tokens has been transferred to the escrow contract, thereby preventing the potential issues described above.