DOS/Funds locked in contract through USDC/USDT blacklisting
Summary
Funds could be locked inside the contract in multiple scenarios if one of the addresses involved (seller, buyer, arbiter) is blacklisted from USDC ( or other relevant/approved/accepted tokens with a blacklisting mechanism like USDT )
Vulnerability Details
POC:
Buyer creates an Escrow contract through EscrowFactory, everything goes smoothly so far...
Seller performs the audit, however, for some external reasons the address the seller used is now blacklisted, as there is no way for him to change his receiving address ( as they are immutable ) the funds will be locked.
This scenario could happen from multiple perspectives, maybe the arbiter will be blacklisted and when he receives his fee the transaction will revert because he is the blacklisted one, the same can happen for the buyer/seller too. ( in the case the resolveDispute function is called )
There is also the scenario where no arbiter is set and as the seller is blacklisted funds will be completely frozen and not even a centralization factor will help.
Impact
Tools Used
Manual review
Recommendations
Give the seller/buyer/arbiter the opportunity to change their own address in case one it will be blacklisted, example:
Check in the constructor if one of the set addresses (seller,buyer,arbiter) is blacklisted from the respective token ( if the respective token will have the blacklisting/banning functionality )
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.