Prorocol mechanism flaw may be harmful to buyer or seller
Summary
Prorocol design flaw may be harmful to buyer or seller because the arbiter can be the buyer or seller.
Vulnerability Details
In the current implemention, protocol dont guarantee the arbiter can be the buyer or seller, which could be beneficial to one party and harmful to another party.
Buyer or seller can initiate dispute. After that, because the arbiter have priviledge to resolve dispute with buyerAward, if buyer is the same as arbiter, the malicious buyer can set buyerAward to i_tokenContract.balanceOf(address(this)) - i_arbiterFee and gain all balance from the protocol, such that, the seller can't get profits from this escrow, this also means that the arbitration mechanism and this protocol is meanless. It's very possible for malicious buyer to set himself as the arbiter because he has the escrow initiation priviledge.
On the other hand, if the seller is the same as arbiter, it's also harmful to buyer with decreasing buyerAward, but such scene has low possibility.
Impact
The arbiter can be the same as the buyer or seller will be harmful to another party.
Tools Used
vscode, Manual Review
Recommendations
Guarantee the arbiter can't be the buyer or seller.
require(buyer != arbiter && seller != arbiter, "arbiter can't be seller or buyer");
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.