Summary

A malicious buyer and arbiter can collaborate to cheat seller.

Vulnerability Details

The #resolveDispute() function is built to favor the buyer over the seller.

After a successful transaction, buyer is supposed #confirmReceipt() and have all funds in the escrow contract sent to the seller.

But a malicious buyer can instead of confirming the receipt, initiate a dispute via #initiateDispute()

And if the arbiter chooses to take sides with the buyer, He could enter almost the whole balance of the escrow contract(balance - arbiterFee) as buyerAward when calling #resolveDispute(), hereby having all the funds in the escrow contract that is supposed to be sent to the seller, sent to the buyer instead.

There's a high possibility of the arbiter being biased since they're appointed by the buyer in the EscrowFactory.sol

That won't be fair because the seller won't receive his payment although the transaction between him and the buyer was successful.

Impact

A malicious buyer and arbiter can collaborate to cheat seller.

Tools Used

Lofi Radio and Manual Review

Recommendations

According to EscrowFactory.sol, buyer is the one who calls newEscrow() and deploy new escrow contract, he is also the one that fills in all params including arbiter.

I suggest that buyer shouldn't be given the ability to appoint the arbiter, let CODEHAWKS admin work as arbiters for projects that opt for arbitration.