40,000 USDC
View results
Submission Details
Severity: low
Valid

Malicious Buyer can set himself the Arbiter and eventually scam the seller

Summary

No input validation when creating an escrow gives oportunities to a malicious buyer to set himself as arbiter and eventually scam the seller . In EscrowFactory.sol , buyer have the full control to set the important roles of an escrow , Arbiter is one of the most important roles here to resolve cases in case of dispute . But having no input sanitization when creating a escrow can lead to fatal consequences where malicious buyer misuse the oportunity and set himself as arbiter .

Vulnerability Details

A following exploit can happen :
1 . Alice (malicious buyer ) creates an escrow setting himself as the arbiter .
2 . seller completes the audit and send his report to the buyer offchain .
3 . after receiving the report Alice calls initiateDispute in the escrow contract an gets all his money back from the contract by calling resolveDispute as he is the arbiter .
4 . Seller got scammed!

Impact

Seller may get scammed by a malicious buyer .

Tools Used

Manual review

Recommendations

Consider adding a list of trusted arbiters and check if arbiter is listed while creating an escrow .
Revert if the conditions are not met .

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.