codehawks-bot commented 1 year ago

Add methods to add/update arbiter in existing Escrow contracts

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/Escrow.sol

Summary

Add methods to add arbiter in existing Escrow contracts

Vulnerability Details

If the Escrow contract gets created without the arbiter, and if an arbiter is needed to settle a dispute, then there is no way to add one.

Impact

The only way to get funds our of the contract is:

Case 1: Buyer is satisfied and so they use confirmReceipt() method to send funds to the seller
Case 2: There is a dispute, and there is a need for an arbiter to resolve the dispute.

For Case 2, the funds cannot be taken out of the contract in case of disputes, and so the funds get locked in there.

Severity Justification

Marking this as medium as both the following medium criteria satisfy:

Funds are indirectly at risk
Disruption of protocol functionality or availability

Source: https://docs.codehawks.com/rewards-and-judging

Tools Used

Manual analysis

Recommendations

Create a method that can update the arbiter if needed. This method can be written such that both the buyer and seller agree to add the arbiter based on their votes.

B353N commented 1 year ago

Escalation. I think severity is medium since there have user funds at risk -> imapck high , likelyhood is low so i think need to be medium.
Addictional on issues with fee on transfer tokens and rebase tokens which is considered as medium, you can just simple send few more tokens to escorw contract and fix the issue but on this issue you can't do anything expect to release payment to seller (which you don't wanna do it if you planing to make dispute). So as i say my opinion is that is medium serverity

PatrickAlphaC commented 1 year ago

At the moment, the arbitor is a trusted role, so this isn't valid. However, it's a nice feature request.

Cyfrin / 2023-07-escrow