nevillehuang
commented
10 months ago Open codehawks-bot opened 11 months ago
nevillehuang
commented
10 months ago 
PatrickAlphaC
commented
10 months ago 👍
PatrickAlphaC
commented
10 months ago Agreed. This is not the zero address root cause.
Lack of dispute resolution deadline
Severity
Medium Risk
Summary
This is a medium level risk because the chances of it happening is not high because the Arbiter can be trusted, but it is not zero because funds can be locked in the contract permanently if anything happens to the Arbiter and it's address is compromised. The Escrow contract allows parties to initiate a dispute that is resolved by an arbiter. However, there is no time limit imposed on the Arbiter to resolve the dispute.
Vulnerability Details
Without a time limit to ensure that the dispute is either done on time or that if the Arbiter is unavailable the funds are pushed to an arbiter that has been agreed on by the buyer and seller (off-chain), an unavailable arbiter could indefinitely delay dispute resolution. This would lock the escrowed funds permanently, preventing the proper recipient from accessing them.
Impact
The escrowed funds could be made inaccessible to both parties indefinitely. This deprives the rightful recipient of the funds according to the original agreement.
Tools Used
Manual review
Recommendations
We can make sure the dispute is resolved at a particular deadline(that will be set in the initial contract by the buyer should there be a need for a dispute) in case the Arbiter address is compromised so that the funds can be pushed to a back up arbiter that the seller and buyer agree on (off-chain) once they both sign on it (on-chain). In case the dispute is delayed for other reasons other than a compromised arbiter, the deadline can only be extended if two of the three parties(Seller, Arbiter or Buyer) agree to it.