Open codehawks-bot opened 11 months ago
It is possible to have no arbiter contracts (incases where there is past history between buyers and sellers and they trust each other enough not to assign arbiter). Since seller needs to agree upfront not to have an arbiter, seller will only agree to this if he trusts buyer's creditworthiness.
Lack of Input Validation - Arbiter Addresses
Severity
High Risk
Summary
lack of validation for whether the arbiter address is the zero address
Vulnerability Details
In the EscrowFactory.newEscrow() and the Escrow.constructor() function, there is a lack of validation for whether the arbiter address is the zero address. Given that the zero address cannot initiate transactions, this could lead to the permanent locking of funds in the escrow contract if either the seller or arbiter is set to the zero address.
Impact
The impact can be significant if high-value transactions are involved. If the arbiter addresses is set to the zero address, funds could be permanently locked in the escrow contract.
Tools Used
Manual Review
Recommendations
Ensure that the arbiter addresses provided to the EscrowFactory.newEscrow() and or Escrow.constructor() function are not the zero address.