CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: gas

Valid

there is no checks implemented that prevents from passing fake/wrong token

avci

Summary

the newescrow doesnt check if the token address which buyer sets is fake/wrong token.

Vulnerability Details

as you know we have a function called newEscrow in EscrowFactory.sol this function is used to create new escrews between seller and buyer the problem is the function doesn't check if the IERC20 tokenContract even exists or is a fake token.

function newEscrow(

uint256 price,

IERC20 tokenContract,

address seller,

address arbiter,

uint256 arbiterFee,

bytes32 salt

Impact

there is 2 scenarios in here

the first buyer can make a token address really close to the real official tokens address and get free service and give fake tokens
the second scenario is when a user accidentally makes a mistake in input address and gives an incorrect address again close to the real one but incorrect accidentally in this way again user will lose funds

Tools Used

manually/vscode

Recommendations

you can implement simple token whitelist list
Add an explicit check before calling safeTransferFrom that the tokenContract is a contract and not an EOA.

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.