Buyer can withdraw tokens from Escrow
Summary
Buyer can withdraw tokens from Escrow.
Vulnerability Details
EscrowFactory creates Escrow with CREATE2, the address of the created Escrow is determined by EscrowFactory's address, salt and Escrow contract's bytecode, however, buyer can bypass EscrowFactory to create Escrow, and tokens can be withdrawn from Escrow by buyer.
Buyer can first create a utilization contract with CREATE2, this contract will be used to deploy a malicious contract which can set token allowance to buyer, this malicious contract's address is determined by deployer address and deployer's nonce;
After getting token allowance, buyer will transfer tokens to the malicious contract's address, then destory the utilization contract and the malicious contract, then create utilization contract with CREATE2 again by providing the same salt, the new utilization contract's address will be the same as the old one's, so when buyer utilizes this again contract to create Escrow, as the deployer's address and nonce is the same as before, the Escrow will be created with its address being the same as the malicious contract.
As buyer has the token allowance of the malicious contract, he/she essentially has the token allowance of the Escrow contract, buyer can withdraw tokens from Escrow at any time.
Impact
As buyer can withdraw tokens from Escrow, seller's at risk of losing rewards.
Tools Used
Manual Review
Recommendations
Escrow should never be created without EscrowFactory, please consider to implement in a way to that Escrow can only be created by EscrowFactory, and ensure Escrow only be functional if it is created by EscrowFactory.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.