CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Escrow#InitiateDispute - Include Trade Record ID

victorygod

Summary

The contract should include the trade record ID as a parameter in the initiateDispute() function. Not including the trade record ID can lead to incorrect escrow identification, unauthorized disputes, lack of auditability, and difficulties in tracking the dispute history.

Vulnerability Details

Without this unique identifier, it becomes challenging to accurately identify and associate the dispute with the correct escrow record.

Impact

Incorrect Escrow Identification: Without the trade record ID, there is a risk of confusion and potential manipulation of the dispute process. Determining the correct escrow record associated with the dispute becomes difficult, leading to incorrect actions or resolutions.
Unauthorized Disputes: The absence of the trade record ID allows anyone to potentially initiate a dispute for any escrow. This opens up the possibility of unauthorized disputes being initiated, leading to unnecessary confusion and potential abuse of the dispute process.
Lack of Auditability: The trade record ID plays a crucial role in maintaining the auditability of the contract. Without it, tracking and verifying the details of the dispute process become challenging. This hinders transparency and accountability, making it difficult to ensure the integrity of the contract.
Inability to Track Dispute History: Including the trade record ID enables a clear and auditable trail of the dispute history. Without the trade record ID, it becomes difficult to track and distinguish between different disputes, especially if there are multiple disputes for different trade records.

Tools Used

Manual Analysis

Recommendations

Include Trade Record ID: Modify the initiateDispute() function to include the trade record ID as a parameter. This ensures a unique identifier for the escrow record associated with the dispute, enhancing accuracy and preventing confusion.
Validate and Authenticate Trade Record ID: Implement proper validation and authentication mechanisms for the trade record ID. This helps prevent manipulation or unauthorized access to the dispute process.

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.