40,000 USDC
View results
Submission Details
Severity: medium

Token transfer has to be redirected through EscrowFactory

Summary

Token transfer has to be redirected through EscrowFactory without approving to the address that is newly created.

Vulnerability Details

  1. It might be challenging to pre-calculate the new Escrow contract address off-chain so it's difficult/less reliable than transferring token to EscrowFactory which is a static address.

  2. When duplicated addresses are generated in EscrowFactory, the transaction will revert but the seller still has token approval to that duplicated address.

Impact

Seller funds might not be safe, also they have challenges depositing tokens to Escrow contract.

Tools Used

Manual Review

Recommendations

Seller approves tokens to EscrowFactory, and in newEscrow function, it transfer tokens to EscrowFactory then to new Escrow contract.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.