A malicious buyer can set themselves as the arbiter and use the privileged role to refund themselves the tokens instead of sending them to the seller.
Although the seller is capable of inspecting the contract before performing the smart contract audit, there ought never to be a case where both parties agree for the buyer to be the arbiter. Therefore it should be explicitly prevented so that malicious buyers are unable to exploit sellers.
Buyer can keep the tokens earned by the seller instead of transferring them, effectively stealing from them.
Manual review
Require that the arbiter
is not equal to msg.sender
in the Escrow
constructor
:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.