In the Escrow Factory, there is currently no check to ensure that the buyer and the arbiter (who resolves disputes) are not the same entity. This vulnerability could lead to potential exploitation. For instance, if the buyer and arbiter are the same person, they could avoid sending tokens to the seller even if the dispute is in the seller's favor. This is because the arbiter, being the buyer, has the ability to withdraw all tokens from the buyer's reward as seen here https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L109.
The vulnerability lies in the lack of verification to ensure that the arbiter is an impartial party and is not directly involved in the transaction as a buyer or seller.
The potential impact of this vulnerability is significant. If exploited, it allows a dishonest buyer, who is also the arbiter, to withhold funds from the seller even if the seller has fulfilled their obligations. This could lead to unfair losses for the seller and could undermine the trust in the Escrow Factory platform.
should verify arbiter who is completely didn't show partiality to any side.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.