40,000 USDC
View results
Submission Details
Severity: medium

`Escrow`'s ERC20 balance can be different to `i_price`

Summary

tokenContract.balanceOf(address(this)) in Escrow is not always equal to i_price. This results in seller being paid more than i_price.

Vulnerability Details

Escrow constructor() only checks for if (tokenContract.balanceOf(address(this)) < price). The ERC20 balance of Escrow could be higher than i_price. This can happen if Escrow is deployed without EscrowFactory or any user sends funds of the ERC20 tokenContract to the Escrow.

i_price is not used after setting in constructor() except in getPrice(). This makes the immutable i_price unnecessary as tokenContract.balanceOf(address(this)) is being used to determine payouts.

Impact

In confirmReceipt this leads to the seller being paid more than i_price. In resolveDispute(uint256 buyerAward) this can even lead to the buyer not being able to get the difference between i_price and ERC20 balance back. This difference will always be given to the seller, no matter what.

Tools Used

Manual Review

Recommendations

  1. Replace tokenContract.balanceOf(address(this)) with i_price when calculating payouts.

  2. Add function for buyer to reclaim excess deposit.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.