Buyer can drain the funds of a escrow
Summary
The buyer of the audit can drain all the funds in the escrow by setting a arbitrer wallet of his own or owned by a malicious arbitrer.
Vulnerability Details
The buyer of the audit can deploy a escrow contract and set the arbitrer address as an address owned by him or owned by a malicious arbitrer controlled by a collaborator of the buyer.
The vulnerability consist in at some point of the audit the buyer calls the initiateDispute function, and then the arbitrer calls the resolveDispute function introducing as a param (i_price - i_arbiterFee) and letting the seller with 0 rewards.
Impact
Hight - med
High if the arbitrer has access to the vulnerability list provided by the seller, if so the incentive to perfom such an attack it's extremely higher.
If the arbitrer has no access to the vulnerability list the buyer is less incentivized to do so as he will not get anything, anyway the attack can still be executed and potentially make the auditors to lose their time.
Tools Used
Foundry
to run the poc install clone the repo from the github link provided and run the following command
Recommendations
-
Have a whitelist for arbitrers
-
Set some way of preventing this kind of behavior to occurr, a way to do so can be set a minimum reward for the seller of the audit and correlate this minimmun reward to the time passed since the escrow contract was created
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.