CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Not correct settlements are done to the buyer in case of resolve dispute

aamirusmani1552

Summary

When dispute occurs the seller gets paid only when it is resolved. The amount is deducted from the paid amount but the checks are not done to insure that the amount transferred to the seller is correct.

Vulnerability Details

The arbiterFee and buyerAward is paid to arbiter and buyer from i_price amount. But if something happens and the contract get's drained some tokens then the amount paid to the user won't be enough.
This is where it could happen:

https://github.com/Aamirusmani1552/escrow-contract/blob/ac6439ca17fdb66d0cb6f414caceb7cc580e3400/src/Escrow.sol#L125

Impact

The Seller might not get paid enough.
Here are some tests:
Test with original contract Escrow.sol: test

Same Test with updated contract MyEscrow.sol: test

Tools Used

foundry tests

Recommendations

Do some checks to insure that user will be paid the correct amount.
Here is an example:
[starts on line 134]
[ends on 141]

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.