CodeHawks Escrow Contract - Competition Details

Summary

The resolveDispute function in the contract suffers from a potential integer overflow issue when calculating the total fee. This issue arises due to the addition of buyerAward and i_arbiterFee, which may result in a value that exceeds the maximum representable value for uint256. An overflow can lead to unexpected behavior, potentially causing incorrect fee calculations and unintended consequences during contract execution.

Vulnerability Details

The vulnerable code snippet is as follows:

In the resolveDispute function, the totalFee is calculated by simply adding the buyerAward and i_arbiterFee variables without any check for potential overflow. Since Solidity doesn't automatically handle overflow for arithmetic operations, an unchecked addition can lead to an integer overflow vulnerability.

Impact

The impact of this vulnerability is that if the sum of buyerAward and i_arbiterFee exceeds the maximum representable value for uint256, the totalFee calculation will wrap around to a lower value than expected. As a result, the contract may allow disputes to be resolved with incorrect fee calculations. This could lead to financial losses or disputes not being resolved appropriately, undermining the integrity of the contract.

Tools Used

Manual

Recommendations

To address the integer overflow vulnerability, the contract should use the SafeMath library for arithmetic operations involving user-supplied values or contract balances. The SafeMath library provides safe arithmetic functions that handle overflow and underflow conditions, preventing unexpected behavior.
Here's an example of how the code can be updated to use SafeMath:

By utilizing SafeMath's add function, the contract can prevent potential overflows and ensure that the arithmetic operations are performed safely. This will safeguard the contract against incorrect fee calculations caused by integer overflow and enhance the overall security and reliability of the contract.