40,000 USDC
View results
Submission Details
Severity: low
Valid

Arbiter and Buyer Can Be the Same, Allowing the Seller to Lose Their Payout

Summary

In the Escrow Factory, there is currently no check to ensure that the buyer and the arbiter (who resolves disputes) are not the same entity. This vulnerability could lead to potential exploitation. For instance, if the buyer and arbiter are the same person, they could avoid sending tokens to the seller even if the dispute is in the seller's favor. This is because the arbiter, being the buyer, has the ability to withdraw all tokens from the buyer's reward as seen here https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L109.

Vulnerability Details

The vulnerability lies in the lack of verification to ensure that the arbiter is an impartial party and is not directly involved in the transaction as a buyer or seller.

Impact

The potential impact of this vulnerability is significant. If exploited, it allows a dishonest buyer, who is also the arbiter, to withhold funds from the seller even if the seller has fulfilled their obligations. This could lead to unfair losses for the seller and could undermine the trust in the Escrow Factory platform.

Tools Used

Recommendations

should verify arbiter who is completely didn't show partiality to any side.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.