CodeHawks Escrow Contract - Competition Details

Summary

Seller might get more or less amount depending on buyers deposit to escrow

Vulnerability Details

The reason is that it is quite possible that by mistake buyer can only deposit the amount never considering dispute will occur or deposits more amount considering dispute.

Say $10K is the audit price but by mistake he also considers dispute price extra $5K so $10K + $1K = $11K which can go directly to seller if dispute doesn't happen

Or only deposits $10K and dispute occurs then seller will get only say $10K - $1K = $9K
For example from tests from above gist consider, For some reason dispute is created by seller/buyer

Case 1:
After series of discussions it has been decide that issues is correct
But as the price/amount is already sent to contract via factory you can't change it
So when arbiter resolves the issue is share goes to him
So that leaves the seller with less that the decide amount which might make seller unhappy

Case 2:
On the other hand if there are no issues and buyer decided that there can be dispute
and nothing happens then auditor/seller might get more than what is decided.
This can happen because there is no separate way to handle arbiter fee

Impact

Buyer might give more amount to seller than decide or less if dispute is created

Tools Used

Manual Analysis, foundry

Recommendations

Even though this might be desired functionality but you can make sure to have withdraw functionality for withdrawing arbiter fee if no dispute is created.