CodeHawks Escrow Contract - Competition Details
Cyfrin
Foundry
40,000 USDC
View results
Previous Next
Submission Details
Severity: medium

The seller should pay `i_arbiterFee` to initiate a dispute.

kupiasec

Summary

The buyer would lose i_arbiterFee unfairly if the seller calls initiateDispute() without doing his work.

Vulnerability Details

Currently, both buyer and seller can initiate a dispute using initiateDispute().

function initiateDispute() external onlyBuyerOrSeller inState(State.Created) {
if (i_arbiter == address(0)) revert Escrow__DisputeRequiresArbiter();
s_state = State.Disputed;
emit Disputed(msg.sender);
}

But it's not fair for the buyer and he might lose the funds by malicious sellers.

  1. After creating an escrow, the seller calls initiateDispute() immediately as he doesn't want to proceed.

  2. Then even if the arbiter refunds all funds to the buyer using resolveDispute(), the buyer will lose i_arbiterFee. But the seller doesn't lose anything.

While checking normal disputes in the real world, both sides should have the risk of losing money when they have disputed incorrectly.

But with the current logic, it's beneficial to the seller.

Impact

The buyer would lose i_arbiterFee unfairly by malicious sellers.

Tools Used

Manual Review

Recommendations

In initiateDispute(), the seller should pay i_arbiterFee to prevent a malicious dispute.

If he wins, he will get back his funds and lose if he's wrong.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.