Severity: Medium
Confidence: High

Description:
During the audit of the Escrow smart contract, we identified potential risks of integer underflow and overflow in the resolveDispute function when calculating the totalFee and checking if it exceeds the token balance.

import { SafeMath } from "../lib/openzeppelin-contracts/contracts/utils/math/SafeMath.sol";
// ...
function resolveDispute(uint256 buyerAward) external nonReentrant onlyArbiter inState(State.Disputed) {
uint256 tokenBalance = i_tokenContract.balanceOf(address(this));
uint256 totalFee = buyerAward.add(i_arbiterFee);
if (totalFee > tokenBalance) {
revert Escrow__TotalFeeExceedsBalance(tokenBalance, totalFee);
}
// ...
}
// ...
}

Exploit Scenario:
In the resolveDispute function, there is a risk of integer overflow when calculating the totalFee, which is the sum of buyerAward and i_arbiterFee. If either of these values is sufficiently large, it may lead to an overflow, causing an incorrect value for totalFee. Similarly, there is a risk of integer underflow if buyerAward or i_arbiterFee is larger than the tokenBalance.

Recommendation:
To prevent the risks of integer underflow and overflow, we recommend using OpenZeppelin's SafeMath library. SafeMath provides safe arithmetic operations that prevent these vulnerabilities.

By using SafeMath, the contract will perform arithmetic operations with additional checks to prevent overflow and underflow, ensuring the correct calculation of totalFee and avoiding potential issues.

It is essential to thoroughly test the revised code using various test cases, including extreme values for buyerAward and i_arbiterFee, to verify the correct functionality of the contract.

Additional Note:
Regarding the issue of salt and bytes32, it is recommended to explicitly convert the salt variable to bytes32 before using it in the abi.encodePacked function. This ensures consistent behavior and avoids any potential unintended consequences related to data encoding. The code provided earlier in the audit finding already demonstrates the correct usage of bytes32(salt).

Tools Used:
The audit findings were detected using static analysis tools such as Slither and manual code review. The use of Slither helped identify potential issues in the contract, including the integer overflow and underflow vulnerabilities.