40,000 USDC
View results
Submission Details
Severity: low

Currently there doesn't seem to be any mechanisms in place to prevent the use of contract addresses instead of EOA addresses

Summary

Currently there doesn't seem to be any mechanisms in place to prevent the use of contract addresses instead of EOA addresses:
Should sellers, buyers and arbiters be able to use contracts as their payment token receiving addresses instead of their EOAs? Because this adds additional surface area for potential attack vectors.

Vulnerability Details

Adds additional surface area for potential attack vectors. Where EOA addresses are sufficient for most/all cases, allowing buyer/seller/arbiter to use contract address for receiving payment tokens should be discouraged/disabled.

Impact

Rogue actors could potentially successfully carry out attack vectors via the expanded attack surface exposed by enabling use of contract addresses for receiving ERC20 token payments. Reentrancy vulnerability already potentially possible.

Tools Used

VSC, manual.

Recommendations

If EOA addresses suffice for receiving payment tokens, then use of contract addresses for same should be disabled.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.