CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

Submission Details

Severity: medium

Valid

Actors can blacklist Other Actors and cause loss of assets

If this protocol is using `usdc as the token, An attacker(buyer/seller) can blacklist and cause loss to either buyer or seller

3 scenarios where the loss of funds or revert can happen:

seller reports their findings to the buyer then the attacker sends a small amount of usdc into the contract/users, the admin of usdc blacklists the contract causing a blacklist on the contract/user's funds will be stuck in the contract forever.
The 2 other scenarios have the same action but different ways an actor can cause some undesired effect
seller is not happy with Arbiter buyAmount so he blocklists usdc and makes the resolveDispute revert
buyer is not happy with the result so they dos resolveDisupte

as you can see it will cause reverts for certain actors but the worst one will be loss of funds because the funds are stuck

using pull instead of push mechanism and allowing all actors to change their address

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

The contest is live. Earn rewards by submitting a finding.

Submissions are being carefully reviewed by our judges.

This is your time to appeal against judgements on your submissions.

Appeals are being carefully reviewed by our judges.

The contest is complete and the rewards are being distributed.

Support

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.