The current implementation of the protocol does not have any logic or mechanism that allows the final user to understand if the Escrow
contract has been deployed "manually" or via the EscrowFactory
.
Only Escrow
contracts created from the source Factory should be valid, whitelisted and safe to be used by the buyer
, seller
and arbiter
The current implementation of the protocol does not have any logic or mechanism that allows the final user to understand if the Escrow
contract has been deployed "manually" or via the EscrowFactory
.
Only Escrow
contracts created from the source Factory should be valid, whitelisted and safe to be used by the buyer
, seller
and arbiter
There is no "direct" fund loss, but the security of the overall system can be improved.
Manual
The EscrowFactory
should store in an internal mapping mapping(address escrow => bool whitelisted) private escrows;
the list of escrow contracts created via newEscrow
The EscrowFactory
should expose an external
function that allows dApps/contracts/monitoring tools to query if an escrow contract is valid and has been created via the Factory
These are just the first steps to be followed. There are other additional enhancements that could be made, but it depends a lot on how the client wants to design the protocol behavior for a better UX/DX.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.