Excess funds sent on contract creation could be lost
Summary
When a contract is created, the buyer loses control over any excess funds sent in. At that point the buyer must rely on the seller or arbiter (if enabled) or lose the funds forever.
Vulnerability Details
The contract requires that the escrow be funded prior to or at the time of creation. There is a check that ensures the token balance is greater than or equal to the amount. Sending any additional funds more than the specified amount does not cause a revert.
Impact
Low. The severity of this is potentially high as the buyer would have to trust the seller and/or the arbiter to get back any extra funds sent mistakenly. However, the difficulty of triggering this issue is also high because the buyer would have to make a mistake during the token transfer. Because the difficulty is so high, this is a low impact.
Tools Used
Manual review.
Recommendations
If there is no intended use case for this, consider refunding the buyer for any excess funds over amount. If there actually is an undocumented use case for sending more funds than the price, update documentation and consider adding an explicit flag enableSurplus to the constructor arguments to ensure this was not a mistake.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.