Summary

The constructor function in the Escrow contract has an oversight where it does not verify if the arbiter address is a non-zero address. This could lead to potential issues where funds may be inadvertently locked.

Instead, the verification happens inside initiateDispute(), which is too late in terms of the funds being locked in the contract.

Vulnerability Details

The function does not verify whether the arbiter address is non-zero. This creates a possibility for the arbiter address to be accidentally or intentionally set as the zero address, which could lock funds in the contract as the dispute resolution process requires the presence of an arbiter.

Instead, the verification happens inside **initiateDispute()**, at which point it is too late to mitigate the arbiter to a correct address since the Escrow contract has already been created and funds sent to it.

Impact

If the arbiter address is set as a zero address, it means there is no actual address that can arbitrate disputes. Therefore, if a dispute arises, the contract's funds may remain locked indefinitely since no one can call the resolveDispute function.

Tools Used

Manual Review.

Recommendations

Move the code line:

**if (i_arbiter == address(0)) revert Escrow__DisputeRequiresArbiter();**

to the constructor to revert in case the **i_arbiter** is a zero-address, just like **i_buyer** and i_seller