Open codehawks-bot opened 1 year ago
great suggestion
Actually, no, a buyer is now incentivized to just wait out till the end and never confirm receipt to get their money back. They could wait till the last minute so it's difficult for an arbitor to get involved.
I think that this issue is a duplicate of H-01 Lack of emergency withdraw function when no arbiter is set.
Concerning Patricks comment above:
Actually, no, a buyer is now incentivized to just wait out till the end and never confirm receipt to get their money back. They could wait till the last minute so it's difficult for an arbiter to get involved.
This concern is also applicable to H-01 as the recommended mitigation is practically the same, and so if this is being used to invalidate this issue then it should also invalidate H-01.
If there is an arbiter then the deadline would realistically be set far enough into the future to allow the seller to dispute before the buyer gets the opportunity to emergency withdraw. If there is no arbiter then a disagreement negatively affecting either the buyer or seller is unavoidable.
Consider allowing the buyer to refund their tokens after a certain amount of time has passed
Severity
Low Risk
Relevant GitHub Links
https://github.com/Cyfrin/2023-07-escrow/blob/main/src/Escrow.sol#L32-L51
Summary
initiateDispute()
checks thati_arbiter
is not the zero address, meaning the use of an arbiter is optional. In the case where no arbiter exists, tokens can effectively become locked in the contract indefinitely. While it could be argued that this is an inherent risk that must be taken buy the buyer and seller, it can be avoided by allowing the buyer to withdraw the tokens after a predetermined amount of time has passed.Impact
In the event that no arbiter is used, and the seller refuses to adhere to the agreement, the tokens would be stranded in the
Escrow
contract indefinitely, as the buyer would have no incentive to release the tokens to the seller, and likely wouldn't want to.Tools Used
Manual review
Recommendations