Summary

The buyer can use a USDC/ USDT blacklist address to screw the auditor. Thus the auditor will have already done the audit but will not receive the reward for his work.

Vulnerability Details

In EscrowFactory.sol we have newEscrow():

This function is used to create a new Escrow contract. From the NatSpec we see.

///There is a risk that if a malicious token is used, the dispute process could be manipulated.

/// Therefore, careful consideration should be taken when chosing the token.

We see that care will be taken not to use a malicious token. But manipulation can also be done with trusted tokens.
Тhe most used stablecoin tokens USDC/USDT have contract level admin controlled address blacklist. If an address is blocked, then transfers to and from that address are forbidden.

Consider the following situation:

• The buyer and seller agree on the price and the audit.

• After the audit is done the buyer doesn't like something and doesn't want to pay.

• So the seller(auditor) calls an arbitrator.

• During this time, the buyer puts his address in blacklisted, and the resolveDispute() function cannot execute because reverts to the blacklisted address.

The above situation is quite possible even if the buyer has very good intentions but for some other reason, his addressee is added to the blacklisted address.

Impact

The auditor will not receive any reward for his work and the tokens will remain stuck.

Tools Used

Visual Studio Code

Recommendations

You can use pull over push model to transfer tokens.