Risk of Permanent Token Lock due to Blacklisted Seller or Arbiter in Escrow Contract
Summary
Some tokens like USDC and USDT have a blacklist that prohibits certain addresses from sending or receiving their tokens.
Vulnerability Details
When the Buyer is deploying a new Escrow he must define what token he is paying the Seller and the Arbiter with, some tokens like USDC and USDT have a blacklist to prevent some users from sending or receiving tokens if in this list, so this vulnerability will occur silently until is too late. If the seller or arbiter is blacklisted the funds are locked forever in the contract because neither of the functions confirmReceipt() or resolveDispute can be called since these two are either sending tokens to the Seller or to the Arbiter (and possible the Seller again).
Impact
Tokens might be locked forever because either the Arbiter or the Seller are blacklisted by the chosen token, which will happen silently until is too late.
Tools Used
Manual review
Recommendations
add a check when deploying a new escrow to see if the users are blacklisted or not. Or add a mechanism for the buyer to withdraw the tokens given certain conditions since he is the one allowed to send and receive the underlying token.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.