CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: low

No Upper/Lower limit for setting arbiter's fee

sm4rty

Summary

The current fee validation logic only checks if the arbiter fee is greater than or equal to the price of the transaction. This validation is insufficient.

Vulnerability Details

In the constructor of Escrow.sol contract, the i_arbiterFee is set to a specific amount. The check only ensures that the arbiter fee is not less than the price. However, this does not prevent setting an excessive fee that could potentially harm the interests of the parties involved. There should be a limit or threshold on the fee, such as 10-20% of the price.

Impact

inadequate fee validation could reduce the trust of users in the escrow system. Any malicious buyer can set the arbiter fee to a very small amount or even 0, which will provide less incentive to the arbiter to resolve disputes. So, there should be a min/max fee system.
Also, there should be a check if no arbiter is set, the fee should be set to 0.

Tools Used

Manual Analysis

Recommendations

Consider adding upper and lower limits for setting up fees.

uint256 PRECISION = 1000;

uint256 upperlimit = (price * 20) / PRECISION; // 20% of the price

uint256 lowerlimit = (price * 50) / PRECISION; // 50% of the price

constructor(

uint256 price,

IERC20 tokenContract,

address buyer,

address seller,

address arbiter,

uint256 arbiterFee

) {

if (address(tokenContract) == address(0)) revert Escrow__TokenZeroAddress();

if (buyer == address(0)) revert Escrow__BuyerZeroAddress();

if (seller == address(0)) revert Escrow__SellerZeroAddress();

if (arbiterFee > upperlimit) revert Escrow__FeeExceedsUpperLimit(upperlimit);

if (arbiterFee < lowerlimit) revert Escrow__FeeBelowLowerLimit(lowerlimit);

if (tokenContract.balanceOf(address(this)) < price) revert Escrow__MustDeployWithTokenBalance();

i_price = price;

i_tokenContract = tokenContract;

i_buyer = buyer;

i_seller = seller;

i_arbiter = arbiter;

i_arbiterFee = arbiterFee;

}

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.