Malicious Buyer can set himself the Arbiter and eventually scam the seller
Summary
No input validation when creating an escrow gives oportunities to a malicious buyer to set himself as arbiter and eventually scam the seller . In EscrowFactory.sol , buyer have the full control to set the important roles of an escrow , Arbiter is one of the most important roles here to resolve cases in case of dispute . But having no input sanitization when creating a escrow can lead to fatal consequences where malicious buyer misuse the oportunity and set himself as arbiter .
Vulnerability Details
A following exploit can happen :
1 . Alice (malicious buyer ) creates an escrow setting himself as the arbiter .
2 . seller completes the audit and send his report to the buyer offchain .
3 . after receiving the report Alice calls initiateDispute in the escrow contract an gets all his money back from the contract by calling resolveDispute as he is the arbiter .
4 . Seller got scammed!
Impact
Seller may get scammed by a malicious buyer .
Tools Used
Manual review
Recommendations
Consider adding a list of trusted arbiters and check if arbiter is listed while creating an escrow .
Revert if the conditions are not met .
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.