Summary

The Escrow contract has a vulnerability that could lead to the theft of funds. The vulnerability arises from the fact that the constructor does not check whether the arbiter address is the same as the seller's. This oversight allows the seller to take advantage of the situation enabling them to call both initiateDispute and resolveDispute, ultimately transferring all the funds to themselves without carrying any type of work.

Vulnerability Details

In the constructor, the contract allows the arbiter's address (i_arbiter) to be set as any valid Ethereum address, including the seller's address (i_seller). This scenario creates a conflict of interest as the seller can act as both the arbiter and the seller, ultimately giving the seller absolute control over the contract’s funds.

Impact

If the arbiter's address is mistakenly set as the seller's address, the seller can abuse this vulnerability by following these steps:
The seller initiates a dispute.
The seller, acting as the arbiter, resolves the dispute, transferring all funds to themselves.
The impact of this vulnerability is severe, as it allows the seller to steal all funds held in escrow without legitimate resolution.

Tools Used

Manual review

Recommendations

To mitigate this vulnerability, it is crucial to add an additional check in the constructor to prevent the arbiter's address from being the same as the seller's.
This can be achieved by introducing an additional check in Escrow.sol constructor checks section:

IEscrow.sol