40,000 USDC
View results
Submission Details
Severity: low
Valid

Malicious buyer can set themself as `arbiter` and potentially steal from seller

Summary

A malicious buyer can set themselves as the arbiter and use the privileged role to refund themselves the tokens instead of sending them to the seller.

Vulnerability Details

Although the seller is capable of inspecting the contract before performing the smart contract audit, there ought never to be a case where both parties agree for the buyer to be the arbiter. Therefore it should be explicitly prevented so that malicious buyers are unable to exploit sellers.

Impact

Buyer can keep the tokens earned by the seller instead of transferring them, effectively stealing from them.

Tools Used

Manual review

Recommendations

Require that the arbiter is not equal to msg.sender in the Escrow constructor:

constructor(
uint256 price,
IERC20 tokenContract,
address buyer,
address seller,
address arbiter,
uint256 arbiterFee
) {
if (address(tokenContract) == address(0)) revert Escrow__TokenZeroAddress();
if (buyer == address(0)) revert Escrow__BuyerZeroAddress();
if (seller == address(0)) revert Escrow__SellerZeroAddress();
if (arbiterFee >= price) revert Escrow__FeeExceedsPrice(price, arbiterFee);
if (tokenContract.balanceOf(address(this)) < price) revert Escrow__MustDeployWithTokenBalance();
+ if (arbiter == buyer) revert Escrow__BuyerCannotBeArbiter(buyer);
i_price = price;
i_tokenContract = tokenContract;
i_buyer = buyer;
i_seller = seller;
i_arbiter = arbiter;
i_arbiterFee = arbiterFee;
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.