Potential for Man-in-the-Middle Attack
Summary
An attacker can trick the buyer into creating an escrow contract for the attacker's benefit, leading to a loss for the buyer when the seller initiates a dispute.
Vulnerability Detail
This issue arises from a lack of safeguards against impersonation attacks within the system. An attacker can use this to trick buyers into creating escrow contracts for their benefit, leaving unsuspecting buyers at a loss. The scam works because the real seller, seeing a valid contract with their address, may provide the service or product to the malicious actor, mistaking them for the legitimate buyer.
Impact
The attack scenario can lead to financial losses for the buyer and unnecessary disputes for the seller. Moreover, it can harm the reputation and trustworthiness of the platform.
Tools Used
A detailed review of the code base was conducted to identify this issue.
Recommendation
It is recommended to implement additional security measures to prevent such impersonation attacks. This could include requiring some form of user verification or authentication when initiating a contract. Further, a secure channel for communication and contract initiation can be established between the buyer and seller, potentially using cryptographic techniques to verify each other's identities before the transaction.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.