PatrickAlphaC
commented
1 year ago resolution here is the same as a blacklisted token
Open codehawks-bot opened 1 year ago
PatrickAlphaC
commented
1 year ago resolution here is the same as a blacklisted token
[M] Seller doesnt receive funds when buyer calls confirmReceipt if token is paused
Severity
Medium Risk
Relevant GitHub Links
https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L94
Summary
Some ERC20 tokens allow the contract owner to pause the token contract.
Vulnerability Details
In confirmReceipt, it is expected that the buyer will confirm the receipt of the report by calling the confirmReceipt function.
However, if the token is paused, the safeTransfer call will fail, and the seller will not receive the funds.
Impact
Confirming Receipt: If the payment token contract is paused when the buyer tries to call the confirmReceipt function, it could lead to a failure in the safeTransfer operation, and the funds will not be transferred to the seller. The escrow state might remain in the "Created" state, and the seller won't receive the payment.
The other issue remains during the disupte phase.
Resolving Dispute: If the payment token contract is paused during the dispute resolution process, it can impact the safeTransfer operations within the resolveDispute function. The arbiter's fee or the buyer's award might not be transferred successfully, leading to an unresolved dispute and funds remaining in the Escrow contract
Tools Used
Manual Review
Recommendations
Its important to check the status of the token contract before calling safeTransfer.
i.e is it paused?