CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

There is no check that arbiter is not buyer nor seller

0xJuda

Summary

Anyone can be an arbiter at the moment. When buyer is arbiter, he can wait for report and get his money back through buyerAward in resolveDispute. When seller is arbiter, he can get money through resolveDispute immediately.

Vulnerability Details

There is no check in Escrow.sol constructor, that the arbiter is not buyer nor seller. This poses a threat of one of those addresses set as an arbiter.

If the seller is an arbiter, he can immediately open a dispute and resolve it to get all funds from the Escrow contract without providing a report off-chain.

If the buyer is an arbiter, he can wait for the report and instead of calling confirmReceipt to send funds to the seller, he can initiate a dispute and get back all funds through buyerAward in resolveDispute.

Impact

If buyer is arbiter, seller won't get money for his report. If seller is arbiter, buyer won't get report and money will be stolen by seller.

Tools Used

Manual review

Recommendations

Implement a check in the Escrow constructor to revert when arbiter is buyer or seller.

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.