CodeHawks Escrow Contract - Competition Details
Cyfrin
Foundry
40,000 USDC
View results
Previous Next
Submission Details
Severity: high

Agreement on `resolveDispute` was not obtained from buyer and seller

klaus

Summary

Vulnerability Details

If the arbiter colludes with the buyer or seller, or is set to the same account as the buyer or seller account, the number of tokens to transfer can be adjusted arbitrarily by calling resolveDispute.

Set the buyerAward high so that the purchase is processed without sending the token to the seller, or the seller can cancel the dispute and forcibly process the sale. Abuse is possible because the result set by resolveDispute is carried out without obtaining consent from the seller and buyer.

function resolveDispute(uint256 buyerAward) external onlyArbiter nonReentrant inState(State.Disputed) {
uint256 tokenBalance = i_tokenContract.balanceOf(address(this));
uint256 totalFee = buyerAward + i_arbiterFee; // Reverts on overflow
if (totalFee > tokenBalance) {
revert Escrow__TotalFeeExceedsBalance(tokenBalance, totalFee);
}
s_state = State.Resolved;
emit Resolved(i_buyer, i_seller);
if (buyerAward > 0) {
i_tokenContract.safeTransfer(i_buyer, buyerAward);
}
if (i_arbiterFee > 0) {
i_tokenContract.safeTransfer(i_arbiter, i_arbiterFee);
}
tokenBalance = i_tokenContract.balanceOf(address(this));
if (tokenBalance > 0) {
i_tokenContract.safeTransfer(i_seller, tokenBalance);
}
}

https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L109-L129

Impact

The arbiter can control the amount of tokens to be transferred without buyer or seller’s agreement.

Tools Used

vscode

Recommendations

Make it 2 step so that transfer token after both buyer and seller agree abount the result of resolveDispute

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.