search

Cyfrin / 2023-07-escrow

16 stars 12 forks source link

Incompatible with some deflationary token #851

Open codehawks-bot opened 1 year ago

codehawks-bot commented 1 year ago

Incompatible with some deflationary token

Severity

Gas Optimization / Informational

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L109C1-L110C73

Summary

Incompatible with some deflationary token

Vulnerability Details

Since the escrow contract is open to use, it may allow any token during the escrow process, in some extreme case that if the token take extra fee from the event, for example, if user send 100 tokens to others, it will actually send 100 + fee.

Impact

The escrow may DoS at the dispute stage

Tools Used

Manual

Recommendations

It need to adjust the validation based on the fee mode of the token:

        uint256 tokenBalance = i_tokenContract.balanceOf(address(this));
        uint256 totalFee = buyerAward + i_arbiterFee; // Reverts on overflow
        if (totalFee > tokenBalance) {
            revert Escrow__TotalFeeExceedsBalance(tokenBalance, totalFee);
        }