Submission Details
Severity:
Incorrect implementation of the onlyBuyerOrSeller modifier leads to unexpected reverts
Summary
The onlyBuyerOrSeller modifier is designed to ensure than only the buyer or the seller can initiate a dispute, but due to incorrect implementation neither the buyer or the seller will be able to initiate a dispute.
Vulnerability Details
/// @dev Throws if called by any account other than buyer or seller.
modifier onlyBuyerOrSeller() {
if (msg.sender != i_buyer && msg.sender != i_seller) {
revert Escrow__OnlyBuyerOrSeller();
}
_;
}
This current implementation will revert if the caller is not i_buyer AND i_seller which is incorrect.
Impact
Disputes between buyers and sellers can never be initiated, rendering the initiateDispute() function useless.
Tools Used
Manual
Recommendations
Use || instead of && like so:
/// @dev Throws if called by any account other than buyer or seller.
modifier onlyBuyerOrSeller() {
if (msg.sender != i_buyer || msg.sender != i_seller) {
revert Escrow__OnlyBuyerOrSeller();
}
_;
}
Prize pool breakdown
Total prize
40,000 USDC
nSLOC
186215 USDC / LOC
37,000 USDC
3,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.