CodeHawks Escrow Contract - Competition Details
Cyfrin
Foundry
40,000 USDC
View results
Previous Next
Submission Details
Severity: high

The user can create a newEscrow with just one token, and they can also choose to pay 0 fees

0xbugalba

Summary

Based on the code of the EscrowFactory contract, it is indeed possible to create a new Escrow in the following way:

By passing only 1 token as the price.
Setting the arbiterFee to 0.
This is because in EscrowFactory:
There is no validation of the minimum price.
It only checks that arbiterFee < price.
Therefore, with a price of 1 and a fee of 0, the only condition is met.
This could allow creating "fake" Escrows that are very cheap, possibly with malicious incentives.
Some ways to mitigate this:

In EscrowFactory, require a minimum price (e.g., 1 ETH).
Require the fee to be a minimum percentage of the price (e.g., 10%).
Validate in Escrow that the price is greater than a minimum value.
Do not allow a fee of 0 for the arbiter in EscrowFactory.

POC (Proof of Concept):

function testBugalba() public hasTokensApprovedForSending {
address computedAddress = escrowFactory.computeEscrowAddress(
type(Escrow).creationCode,
address(escrowFactory),
uint256(SALT1),
1, //@audit creating the escrow with just one token
i_tokenContract,
BUYER,
SELLER,
ARBITER,
0 //@audit this is the fee, supposedly it should be greater than the paid price, but it still works.
);
ERC20Mock(address(i_tokenContract)).mint(computedAddress, PRICE);
vm.startPrank(address(escrowFactory));
Escrow escrow = new Escrow{salt: SALT1}(
1,
i_tokenContract,
BUYER,
SELLER,
ARBITER,
0
);
vm.stopPrank();
assertEq(computedAddress, address(escrow));
}

Impact

This could allow creating "fake" Escrows that are very cheap, they can call it multiple times and spam.

Tools Used

manual review

Recommendations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.