40,000 USDC
View results
Submission Details
Severity: low
Valid

Arbiter and seller/buyer address can be the same address

Summary

Currently, it is possible to deploy a new escrow contract with arbiter == seller or arbiter == buyer. However, this is not intended to be a valid state for an Escrow contract. The fundamental purpose of the arbiter is to act as an impartial third party, distinct from both the seller and the buyer of the service. Therefore, to ensure the integrity and proper functionality of the Escrow contract, it is essential to disallow such configurations and enforce the requirement that the arbiter must be an unbiased 3rd party separate from the seller and buyer.

Vulnerability Details

In the Escrow.sol constructor, there is currently no validation to ensure that the arbiter set is neither the seller nor the buyer. As a result, Escrow contracts can be deployed with the same address for the arbiter and seller or for the arbiter and the buyer, undermining the primary purpose of the escrow contract.
To preserve the integrity and functionality of the escrow mechanism, it is crucial to implement checks that enforce the condition that the arbiter must be an impartial third party, distinct from both the seller and the buyer.

Impact

The issue arises from the possibility of the arbiter being the same address as either the seller or the buyer in the Escrow contract. Consequently, the arbiter becomes irrelevant, undermining the dispute process, a significant feature of the Escrow contract.

Given the impact on the contract's essential functionality, I consider the severity of this issue to be medium.

Tools Used

VSCode

Recommendations

Add a check to the Escrow.sol constructor:

if(arbiter == seller || arbiter == buyer){
revert Escrow__ArbiterNotAThirdParty()
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.