Summary

The current escrow contract suffers from a critical vulnerability wherein, if an arbiter is not set and the seller's address is blacklisted by the payment token, the funds deposited into the contract could be locked indefinitely.

Vulnerability Details

The escrow contract lacks a mechanism to handle the scenario where the seller's address is blacklisted, and an arbiter has not been assigned to the contract. As a consequence, there is no provision to unlock the funds and release them to the rightful party.

Impact

In the event of the aforementioned situation, the funds held in the escrow contract would remain inaccessible indefinitely. This issue poses a significant risk to the integrity of the escrow process and may result in financial losses and disputes.

Tools Used

Manual Review

Recommendations

To address this vulnerability and enhance the security of the escrow contract, we recommend implementing a mechanism that allows the buyer to update the buyer address. By providing the buyer with the ability to update their address, the funds can be released to the appropriate party in case the seller's address is blacklisted and no arbiter has been designated. This safeguard will ensure that funds are not locked forever and maintain the functionality and reliability of the escrow system.