CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: high

No zero address check can result in DOS (Fund Stuck) in Escrow contract

smaul

Summary

No zero address check for arbiter address in Escrow contract is present. So, if someone set the arbiter address to zero and then buyer/seller call to initiateDispute then s_state become to State.Disputed and to resolve the dispute resolveDispute need to be called by arbiter only. As, the arbiter address is zero address then not possible to resolve the dispute ever and the fund will be stuck forever.

Vulnerability Details

Buyer calls newEscrow function of EscrowFactory.sol with necessary input and provides arbiter address to zero address. A new Escrow contract will be created with arbiter address as zero.
Now Buyer/Seller calls the initiateDispute function of Escrow.sol contract. Now the s_state became to State.Disputed
Now to resolve the dispute resolveDispute need to be called by arbiter only. But it's never possible as arbiter address is zero address.
The funds available in the Escrow contract will be stuck forever.

Impact

The funds available in the Escrow contract will be stuck forever.

Recommendations

Don't allow to set arbiter address to zero address.

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.