40,000 USDC
View results
Submission Details
Severity: medium

`getPrice` dosnt do correct job at calculating price

Summary

The price is calculated based on how much the seller gives in newEscrow but the buyer can give more and it won't be computed in the getter function for the price

Vulnerability Details

Since the getPrice returns the immutable price it might not represent additional funds the buyer gives the seller or a higher price in the contract now causing no seller to do the services for the buyer.
ex:
StarKing Protocol wants an audit they send price= 2e18(2 ether)
The audit market requires more capital for someone to take the audit or they see that 2 ether is not enough for their audit at that current time.
So they send 2 ether more but since the marketPlace will only know the price by getPrice function so protocol will get dosed and they won't get their funds back until they realize what happened.

Impact

The impact is, firstly loss of opportunity cost for the protocol since when the funds are in the escrow, they are not used which can be bad for the protocol that can use it for incentives for their protocols. Secondly, they will be dosed if the marketplace doesn't change how they determine the buyers' price.

Tools Used

Recommendations

change the getPrice to token.balance(address(this))

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.