If the arbiter colludes with the buyer or seller, or is set to the same account as the buyer or seller account, the number of tokens to transfer can be adjusted arbitrarily by calling resolveDispute.
Set the buyerAward high so that the purchase is processed without sending the token to the seller, or the seller can cancel the dispute and forcibly process the sale. Abuse is possible because the result set by resolveDispute is carried out without obtaining consent from the seller and buyer.
Agreement on
resolveDispute
was not obtained from buyer and sellerSeverity
High Risk
Relevant GitHub Links
https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L109-L129
Summary
Vulnerability Details
If the arbiter colludes with the buyer or seller, or is set to the same account as the buyer or seller account, the number of tokens to transfer can be adjusted arbitrarily by calling
resolveDispute
.Set the
buyerAward
high so that the purchase is processed without sending the token to the seller, or the seller can cancel the dispute and forcibly process the sale. Abuse is possible because the result set byresolveDispute
is carried out without obtaining consent from the seller and buyer.https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L109-L129
Impact
The arbiter can control the amount of tokens to be transferred without buyer or seller’s agreement.
Tools Used
vscode
Recommendations
Make it 2 step so that transfer token after both buyer and seller agree abount the result of
resolveDispute