Summary

The escrow is created by the buyer funding the price and initialising the values for the contract. It is possible that the buyer would initialize the arbitrator with the same address as buyer and there by claim full control of the contractual terms.

Lets say, Alice is the buyer and also the arbitrator. With these circumstances, Seller has no say at all. The contract does not have a restriction for this setup.

Vulnerability Details

Buyer has full control of escrow and hence could with draw the funds using the dispute method. Seller has no guard against the manipulation by the buyer.

The buyer can raise a dispute and award him max refund parring the arbitrator fee. As a result, seller will get nothing.

Impact

Seller will loss every thing, the off chain transaction was completed per norms by the seller, but has no control on the funds to be received by escrow. He would loose all funds.

Tools Used

Manual Review

Recommendations

Add the below validation in Escrow Constructor
if (buyer == arbiter)) revert Escrow__BuyerArbiterSameAddress();

Seller should have a function to accept the terms of the Escrow contract before it becomes effective.

a) Make sure arbitrator is different from Buyer and confirm that holder is a middle man who will support fairness.
b) Seller also accepts the fee for arbitration if invoked.

Add a function that allows seller to accept the terms which actives escrow for settlement.