Summary

When there is a dispute the Arbiter is supposed to end the dispute. This creates a centralization stuck problem. If Arbiter wants, or if Arbiter loses control on their wallet the funds will be forever stuck on the contract.

Vulnerability Details

-Seller or buyer initiates dispute using: initiateDispute()
-s_state is now equal to State.Disputed
-contract can not go back to the initial state unless arbiter runs resolveDispute()
-arbiter is unavailable / lost his wallet / hacked
-all the funds are stuck on contract

Impact

Entire funds can be stuck on contract

Tools Used

Github / General Reading Analysis

Recommendations

It is recommended to have a backup plan on the contract. Some possible alternatives are as follows:

Option 1: The contract is deployed having multiple arbiters ordered by their turns to be able to take action and a deadline period per arbiter. If arbiter does not resolveDispute in time, the next arbiter can resolve the dispute.

Option 2: There can be another contract with whitelisted arbiters defined on codehawks ecosystem. If the first arbiter does not resolve the dispute until deadline, any of the whitelisted arbiters can resolve the dispute.

Option 3: There can be a new approvedByBuyerAndSeller voting mechanism and they can together assign a new arbiter to get out of the stuck state.