Agreement on `resolveDispute` was not obtained from buyer and seller

Severity

High Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L109-L129

Summary

Vulnerability Details

If the arbiter colludes with the buyer or seller, or is set to the same account as the buyer or seller account, the number of tokens to transfer can be adjusted arbitrarily by calling resolveDispute.

Set the buyerAward high so that the purchase is processed without sending the token to the seller, or the seller can cancel the dispute and forcibly process the sale. Abuse is possible because the result set by resolveDispute is carried out without obtaining consent from the seller and buyer.

function resolveDispute(uint256 buyerAward) external onlyArbiter nonReentrant inState(State.Disputed) {
    uint256 tokenBalance = i_tokenContract.balanceOf(address(this));
    uint256 totalFee = buyerAward + i_arbiterFee; // Reverts on overflow
    if (totalFee > tokenBalance) {
        revert Escrow__TotalFeeExceedsBalance(tokenBalance, totalFee);
    }

    s_state = State.Resolved;
    emit Resolved(i_buyer, i_seller);

    if (buyerAward > 0) {
        i_tokenContract.safeTransfer(i_buyer, buyerAward);
    }
    if (i_arbiterFee > 0) {
        i_tokenContract.safeTransfer(i_arbiter, i_arbiterFee);
    }
    tokenBalance = i_tokenContract.balanceOf(address(this));
    if (tokenBalance > 0) {
        i_tokenContract.safeTransfer(i_seller, tokenBalance);
    }
}

https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L109-L129

Impact

The arbiter can control the amount of tokens to be transferred without buyer or seller’s agreement.

Tools Used

vscode

Recommendations

Make it 2 step so that transfer token after both buyer and seller agree abount the result of resolveDispute

Cyfrin / 2023-07-escrow