Funds can be stuck when arbiter is not set
Summary
The "Escrow" smart contract contains a vulnerability that could lead to funds getting stuck in the contract if the arbiter address is not set during contract deployment. If a dispute cannot be initiated without an arbiter being set, the contract does not provide a mechanism to update the arbiter and resolve the dispute, resulting in funds being locked indefinitely.
Vulnerability Details
The vulnerability lies in the initiateDispute function of the Escrow contract. When the initiateDispute function is called, it checks whether the i_arbiter address is set. If it is not set (i.e., set to address(0)), the contract reverts with the Escrow__DisputeRequiresArbiter error message, effectively preventing the dispute resolution process from being initiated.
If the i_arbiter address is not set during contract deployment, and a dispute is intended to be initiated, it will not be possible to update it later. Consequently, the funds held in the contract will remain locked, and no resolution can occur.
Impact
Suppose,
Buyer and Seller agreed on conditions and Buyer initiates escrow with 1000 USDC ( without setting arbiter address )
Seller denies and didn't work based on conditions
Buyer wants his 1000 USDC back
In this scenario, the Buyer cannot initiate a dispute. There is one way to get funds out of the contract, if Seller agreed that first Buyer transfer funds using confirmReceipt() to Seller and Seller will transfer funds manually to Buyer.
But in that case, Seller can deny transferring the funds once he gets funds. Buyer will be lost his funds.
Tools Used
Manual Review
Recommendations
There could be two solutions
add a method to transfer funds back to Buyer with permission of Seller
add a method to update the arbiter
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.