Preventing Fund Lockup: Ensuring a Valid Arbiter in the Escrow Contract Constructor
Summary
The constructor for the escrow contract does not validate the arbiter's address, allowing for the creation of an escrow contract without a valid arbiter. This could prevent disputes from being initiated, locking funds indefinitely.
Vulnerability Details
The constructor for the escrow contract does not check if the arbiter parameter is a non-zero address:
This allows for the creation of an escrow contract without an arbiter. However, the initiateDispute function requires a valid arbiter:
This could lead to a situation where funds are locked in the contract indefinitely, as disputes cannot be initiated without a valid arbiter.
Impact
If an escrow contract is created without a valid arbiter, funds could be locked indefinitely. This would occur if a dispute arises and the initiateDispute function cannot be called due to the lack of a valid arbiter.
Tools Used
This potential vulnerability was found using manual code review methods.
Recommendations
I recommend adding a check in the constructor to ensure that the arbiter parameter is a non-zero address. This will prevent the creation of an escrow contract without a valid arbiter, and will ensure that disputes can always be initiated when necessary. Here's how you can modify your constructor:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.