Currently there doesn't seem to be any mechanisms in place to prevent the use of contract addresses instead of EOA addresses:
Should sellers, buyers and arbiters be able to use contracts as their payment token receiving addresses instead of their EOAs? Because this adds additional surface area for potential attack vectors.
Adds additional surface area for potential attack vectors. Where EOA addresses are sufficient for most/all cases, allowing buyer/seller/arbiter to use contract address for receiving payment tokens should be discouraged/disabled.
Rogue actors could potentially successfully carry out attack vectors via the expanded attack surface exposed by enabling use of contract addresses for receiving ERC20 token payments. Reentrancy vulnerability already potentially possible.
VSC, manual.
If EOA addresses suffice for receiving payment tokens, then use of contract addresses for same should be disabled.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.