The Escrow contracts can be configured to have `buyer == arbiter` allowing the buyer to get funds back even when seller has correctly provided the service
Summary
The Escrow contract allows a malicious buyer to set itself to also be the arbiter.
This allows the buyer to be able to receive off-chain the service from the seller and get a total refund without paying the seller.
To do so, the buyer just needs to call
initiateDispute()resolveDispute(resolveDispute(tokenContract.balanceOf(address(escrow)) - arbiterFee))
Vulnerability Details
The Escrow contract allows a malicious buyer to set itself to also be the arbiter.
This allows the buyer to be able to receive off-chain the service from the seller and get a total refund without paying the seller.
To do so, the buyer just needs to call
initiateDispute()resolveDispute(resolveDispute(tokenContract.balanceOf(address(escrow)) - arbiterFee))
Impact
The seller will not be paid for the service he/she has correctly provided.
Tools Used
Manual
Recommendations
The Escrow.constructor should revert if buyer == arbiter
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.