Summary

In the project's documentation, it is mentioned that the arbiter is an impartial and trusted actor responsible for resolving disputes between the buyer and seller. However, the vulnerability lies in the fact that the arbiter can be a single point of failure.

The impact of this vulnerability is twofold. Firstly, in case of the unavailability of the arbiter during a dispute, the funds can become locked temporarily or permanently. Secondly, relying on the judgment of a single person or entity may not ensure a fair resolution of disputes.

To demonstrate the impact, the text presents two cases:

1. Temporary Unavailability: If the arbiter becomes unavailable for a certain period, the funds will be locked temporarily during the dispute resolution process.

2. Permanent Unavailability: If the arbiter becomes unavailable permanently due to reasons like losing their private key or passing away, the funds will be locked permanently.

The recommended mitigation steps involve considering a multi-signature setup to decrease the probability of funds being locked and increase the fairness of dispute resolution. Implementing a 2-of-3 or 3-of-5 multi-sig setup can help address the single point of failure issue associated with relying solely on the arbiter.

Vulnerability Details

In the documentation of the project, it has been mentioned that:

Arbiter: An impartial, trusted actor who can resolve disputes between the Buyer and Seller.

Meaning that we have considered that the arbiter is trusted, and malicious arbiter does not happen. Also, in the Known Issues section, the same thing has been mentioned:

• arbiter is a trusted role

However, the point that is not considered is that, in spite of being trusted, the arbiter can be single-point-of-failure. In case of unavailability of the arbiter and arising a dispute, the funds can be locked.

Apart from the availability of the arbiter, the other concern is that the judgment of a single person or entity may not be fair.

Impact

Considering the availability of the arbiter, Two cases can happen:

1. The arbiter can become unavailable temporarily. For example, they may not be online for some hours or days.

2. The arbiter can become unavailable permanently. For example, they may lose their private key to connect to their wallet or may die. ☹️

When disputes happen, and the buyer or seller calls initiateDispute(), in this first case, the funds will be locked temporarily, and in the second case, the funds will be locked permanently.

Tools Used

Manual Review

Recommendations

Consider changing to a multi-signature setup. Using a 2-of-3 or 3-of-5 multi-sig setup can decrease the probability of the issue that the funds can be locked, and can increase the fairness of the judgment.