Summary

The current design allows the buyer to raise a dispute, and then the arbiter can call resolveDispute in order to pull the funds out of the contract, and send them to the buyer plus the arbiter fee.

This design is flawed because if the buyer is the one that created the escrow contract, they have the option of choosing an arbiter address under their control. Then, after the seller delivers the service, the buyer raises a dispute and immediately resolves it with the arbiter account. Effectively getting back all the funds and the service.

Vulnerability Details

Impact

High severity, because it breaches the use of the protocol.

Tools Used

Recommendations

Choosing the arbiter should be a step on its own. And it should be done by both the buyer and the seller through some form of a voting/approving flow. It should also be noted in user-facing documentation that a malicious arbiter can cause a rug pull.