Summary

Arbiter never calls the resolveDispute function and the price gets locked.

Vulnerability Details

For any reason the buyer or the seller can call the initiateDispute function, this gives power to the arbiter to decide on who should get the price or how much price to be given to the buyer or the seller after conferring them off-chain. However, the arbiter can never call the resolveDispute function, and the price gets locked. Ex. If the arbiter is unable to come to a conclusion after conferring with both parties (this is not a case of the arbiter being partial but rather his/her inability to come to a conclusion).

Instance:

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/Escrow.sol#L109C1-L130C1

function resolveDispute(uint256 buyerAward) external onlyArbiter nonReentrant inState(State.Disputed) {
    uint256 tokenBalance = i_tokenContract.balanceOf(address(this));
    uint256 totalFee = buyerAward + i_arbiterFee; // Reverts on overflow
    if (totalFee > tokenBalance) {
        revert Escrow__TotalFeeExceedsBalance(tokenBalance, totalFee);
    }

    s_state = State.Resolved;
    emit Resolved(i_buyer, i_seller);

    if (buyerAward > 0) {
        i_tokenContract.safeTransfer(i_buyer, buyerAward);
    }
    if (i_arbiterFee > 0) {
        i_tokenContract.safeTransfer(i_arbiter, i_arbiterFee);
    }
    tokenBalance = i_tokenContract.balanceOf(address(this));
    if (tokenBalance > 0) {
        i_tokenContract.safeTransfer(i_seller, tokenBalance);
    }
}

Impact

Price may get locked, if the arbiter does not call the resolveDispute function.

Tools Used

Manual review and VS Code

Recommendations

There should be a specific time frame(ex. 2 weeks) for the arbiter to confer with both parties and come to a conclusion deciding which party should get the price or how much price to be given to the buyer or the seller. If the arbiter is unable to come to a conclusion, then the arbiter may be changed.