search

Cyfrin / 2023-07-escrow

16 stars 12 forks source link

Funds locked trough improper setup #753

Open codehawks-bot opened 1 year ago

codehawks-bot commented 1 year ago

Funds locked trough improper setup

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L32-L51

https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L102

Summary

Funds could end up in a locked state if there is no arbiter added and the seller will not deliver the audit because of an event that happened after the audit started( or lost access to the address, die, etc.... just complete away )

Vulnerability Details

POC:

  1. Buyer creates the escrow contract
  2. Mid-audit seller is completely away and not responding to any messages and the audit was not deliver, if there is no arbiter set, the seller will not be able to call the initiateDispute function to try to recover his funds back and they will stay lock inside the contract

    Impact

    Funds will be locked inside the contract.

    Tools Used

    Manual Review

    Recommendations

    Add the check from L#103 inside the constructor and remove it from the function initiateDispute obligating all deployers to have an arbiter assigned.

nevillehuang commented 1 year ago

753: Invalid, pretty confusing report, PoC is incorrect as it mentions seller not being able to call initiateDispute instead of buyer

PatrickAlphaC commented 1 year ago

looking

PatrickAlphaC commented 1 year ago

Root cause: ✅ Impact: ❌

Awarding.