Summary

Missing partial payment option does not reflect real-world usage of private auditors & protocols, limiting usefulness of the Escrow contract.

Vulnerability Details

In private audits it is common for the buyer (protocol team) to pay a deposit (a % of the total fee, typically 30-50%) before the audit is started, and the remainder of the fee is paid once the audit findings are delivered. A smaller down-payment can also be paid to secure the auditor's time which may be forfeited if the protocol team then decides to cancel the audit.

The Escrow contract does not offer this; it is "all or nothing", either the buyer pays the entire sum or they pay nothing.

Impact

The Escrow contract may not be suitable for its intended purpose; auditors in particular may not use it due to not receiving a down-payment before beginning the audit.

Tools Used

Manual

Recommendations

The Escrow contract should be created with a downPayment parameter and the state machine expanded to allow auditors to receive an agreed-upon down-payment before starting the audit.