CodeHawks Escrow Contract - Competition Details

Summary

Funds deposited by the buyer are virtually locked if the buyer initialises the i_arbiter with a zero address. This results in virtual lock up of deposited funds with the escrow contract as arbitration is completely disabled.

Vulnerability Details

When the escrow contract is created, if, i_arbiter is assigned a zero address, then buyer essentially does have any more control on his funds deposited. Since i_arbiter was not set, the whole arbitration functionality is not available.
Hence, the buyer does not have any way to recover the deposited funds.He can only release fund to seller as there is no option to withdraw.

There are only two ways to withdraw funds from this contract.

a) confirmReceipt : This functions sends the funds to the seller
b) resolveDispute : This function is operated by arbitrator to resolve a dispute between the buyer and seller. On settlement, the arbitrator will take his fee and distribute the funds between buyer and seller per arbitration agreement.

But, since the i_arbiter was assigned zero address, resolveDispute is no more functional. This leaves with only one option to with draw funds from Escrow and that is using confirmReceipt.

If the seller breaches the agreement, the buyer has no choice but to leave the funds in the contract as there is no other provision left to withdraw. This is risky for both buyer and seller.

Impact

Permanent lock of funds

Tools Used

Manual review

Recommendations

a) Add the below validation in the constructor
if(arbiterFee > 0){
if (i_arbiter == address(0)) revert Escrow__ArbiterZeroAddress();
}
if there is arbiterFee, then i_arbiter cannot be 0 address.

b) Disabling arbitration is not a good approach.There is a risk that seller will never get paid as full control is in the hands of buyer and seller has no say at all. Buyer also cannot with draw funds.