If the arbiter is not able to confer both parties offchain, then it's not an escrow contract and the buyer can directly send funds to the seller once goods or services have been delivered. Therefore, it's essential to verify and input the correct arbiter address.
The initiateDispute() (line 102) function in the Escrow.sol contract should check if the arbiter contract is not a Zero Address and a contract address during the contract creation phase in the constructor call. We can't afford to check the arbiter address is a Zero address when there is a dispute , after the token has been transfer to the esrow contract.
Expected dispute workflow
The buyer creates an Escrow
contract through EscrowFactory::newEscrow
, depositing funds.
Either party can initiate a dispute through Escrow::initiateDispute
.
The arbiter confers with both parties offchain and calls Escrow::resolveDispute
to reimburse either side accordingly, emptying the escrow.
Failure to check for a Zero Address Arbiter will render the Escrow Contract useless as tokens can only be transferred out of it by confirming receipt without any dispute from buyers.
Slither.
Add two additional checks in the Escow.sol construction function:
Declare a new function in Escow.sol called isContract()
which checks if an address is a contract address:
Add custom error code for Arbiter Zero Address in IEscrow.sol:
Modify the constructor function in Escow.sol to include the new checks for Zero Address and Externally Owned Accounts (EOA):
Declare a new view function for the arbiter to get the maximum amount to refund back to the buyer:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.