Escrow creator can be both buyer and arbitrator
Summary
The escrow is created by the buyer funding the price and initialising the values for the contract. It is possible that the buyer would initialize the arbitrator with the same address as buyer and there by claim full control of the contractual terms.
Lets say, Alice is the buyer and also the arbitrator. With these circumstances, Seller has no say at all. The contract does not have a restriction for this setup.
Vulnerability Details
Buyer has full control of escrow and hence could with draw the funds using the dispute method. Seller has no guard against the manipulation by the buyer.
The buyer can raise a dispute and award him max refund parring the arbitrator fee. As a result, seller will get nothing.
Impact
Seller will loss every thing, the off chain transaction was completed per norms by the seller, but has no control on the funds to be received by escrow. He would loose all funds.
Tools Used
Manual Review
Recommendations
Add the below validation in Escrow Constructor
if (buyer == arbiter)) revert Escrow__BuyerArbiterSameAddress();
Seller should have a function to accept the terms of the Escrow contract before it becomes effective.
a) Make sure arbitrator is different from Buyer and confirm that holder is a middle man who will support fairness.
b) Seller also accepts the fee for arbitration if invoked.
Add a function that allows seller to accept the terms which actives escrow for settlement.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.