No input validation when creating an escrow gives oportunities to a malicious buyer to set himself as arbiter and eventually scam the seller . In EscrowFactory.sol
, buyer have the full control to set the important roles of an escrow , Arbiter is one of the most important roles here to resolve cases in case of dispute . But having no input sanitization when creating a escrow can lead to fatal consequences where malicious buyer misuse the oportunity and set himself as arbiter .
A following exploit can happen :
1 . Alice (malicious buyer ) creates an escrow setting himself as the arbiter .
2 . seller completes the audit and send his report to the buyer offchain .
3 . after receiving the report Alice calls initiateDispute
in the escrow contract an gets all his money back from the contract by calling resolveDispute
as he is the arbiter .
4 . Seller got scammed!
Seller may get scammed by a malicious buyer .
Manual review
Consider adding a list of trusted arbiters and check if arbiter is listed while creating an escrow .
Revert if the conditions are not met .
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.