Summary

The Escrow contract allows an escrow transaction to proceed without a mandatory arbiter. This could lead to a situation where funds could be locked in the contract indefinitely if a buyer never calls the confirmReceipt function and there's no arbiter to intervene.

Vulnerability Details

In the initiateDispute function, it requires an arbiter address to be set. If it is not set, the Escrow__DisputeRequiresArbiter() exception is thrown. However, the arbiter address is not mandatory at contract initialization, meaning an escrow transaction can proceed without an arbiter.

The potential issue here is if a buyer does not call confirmReceipt after the creation of the escrow. If there is no arbiter, the seller will not be able to initiate a dispute using initiateDispute, effectively locking the funds in the contract indefinitely.

This is an issue with the Escrow contract design where an arbiter should be mandatory during contract initialization to prevent such situations.

Impact

This issue could lead to loss of funds for the seller. The funds would be locked in the contract, rendering them inaccessible if the buyer does not confirm the receipt and an arbiter has not been set.

Tools Used

No particular tools were used to discover this issue. It was found by manual review of the contract code.

Recommendations

To mitigate this issue, it is recommended to make the arbiter mandatory during contract initialization. This would ensure that there will always be a third party who can intervene and prevent funds from being locked in the contract indefinitely.