Missing partial payment option does not reflect real-world usage of private auditors & protocols, limiting usefulness of Escrow contract
Summary
Missing partial payment option does not reflect real-world usage of private auditors & protocols, limiting usefulness of the Escrow contract.
Vulnerability Details
In private audits it is common for the buyer (protocol team) to pay a deposit (a % of the total fee, typically 30-50%) before the audit is started, and the remainder of the fee is paid once the audit findings are delivered. A smaller down-payment can also be paid to secure the auditor's time which may be forfeited if the protocol team then decides to cancel the audit.
The Escrow contract does not offer this; it is "all or nothing", either the buyer pays the entire sum or they pay nothing.
Impact
The Escrow contract may not be suitable for its intended purpose; auditors in particular may not use it due to not receiving a down-payment before beginning the audit.
Tools Used
Manual
Recommendations
The Escrow contract should be created with a downPayment parameter and the state machine expanded to allow auditors to receive an agreed-upon down-payment before starting the audit.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.