40,000 USDC
View results
Submission Details
Severity: high

Volatility in token price can lead to loss to either the buyer or seller according to the price rise or fall

Summary

In the case when there's no dispute between the buyer & seller, the buyer pays the agreed upon price to the seller by calling the confirmReceipt() & the whole amount in the contract is transferred because the safetransfer uses the i_tokenContract.balanceOf(address(this)) parameter when paying the seller.
But in case of a price change in the market value of the deposited tokens, either the buyer or the seller incurs a loss according to the increase or decrease in price respectively.

Vulnerability Details

Lets take the scenario when there is no dispute between the buyer & seller.

File: Escrow.sol
function confirmReceipt() external onlyBuyer inState(State.Created) {
s_state = State.Confirmed;
emit Confirmed(i_seller);
i_tokenContract.safeTransfer(i_seller, i_tokenContract.balanceOf(address(this)));
}

Here, two scenarios play out.

First,

The market price of the token decreases. In this case, the seller is paid less than the agreed upon price & as a result suffers a loss.

Second,

The market price of the token increases. In this case, the seller gets paid more than the agreed upon price & as a result the buyer suffers a loss in this situation.

Impact

Market volatility can lead to uneven payout to the seller causing either the seller or the buyer loss of funds.

Tools Used

Manual Review

Recommendations

Put in measures to handle market volatility.
Deploy the contract with a little extra balance. Instead of paying the seller using the contract's balance, use a fixed price variable. Add a withdraw function to be accessible only by the buyer to withdraw the extra funds otherwise they maybe locked into the contract.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.