Buyer choosing the Arbiter holds risks for the Seller
Summary
Buyer being able to choose any address they want as the arbiter holds risks for the seller.
Vulnerability Details
Buyer can set any address they want as the arbiter with the arbiterFee they choose meaning they can even put their own addresses and contracts as the arbiter. Putting the trust of choosing the arbiter which is the only address that can call the resolveDispute function, in the hands of the buyer is not a good system for the seller. Buyer can act maliciously/unjustified and resolve the disputes however they want even after seller does the work asked of them.
A potential problem can go as follows:
Buyer and seller agree on a price, buyer creates a new escrow contract choosing the arbiter parameter themselves(Can be another address that they own) and set arbiterFee to 0.
Seller does the work asked for them and expects payment.
Buyer/Seller uses initiateDispute() function.
Arbiter calls the resolveDispute() function with the buyerAward parameter being price - arbiterFee.
Dispute resolves with buyer taking their funds back and seller getting nothing in return.
Impact
A malicious buyer that has the power to choose the arbiter address themselves can refuse to give any money to the seller after seller has done their part of the work. Seller will never be able to get the dispute resolved in a way that will favour them.
Tools Used
Manual review.
Recommendations
Have an off-chain pool of verified and trusted arbiter addresses that the buyer has to choose from with an if check on newEscrow function or the constructor in Escrow.sol.
Another idea would be to always have an arbiter which will be the CodeHawks team.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.