Malicious seller can grief buyer by using a USDC blacklisted address

[codehawks-bot]

Malicious seller can grief buyer by using a USDC blacklisted address

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L127

https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/Escrow.sol#L98

Summary

If an escrow contract is created with USDC, and the seller provides a blacklisted address, the funds will be permanently stuck in the escrow contract.

Vulnerability Details

There are two scenarios for the griefing:

1. If a buyer creates an escrow contract with USDC, and uses a blacklisted address that the seller provides, the seller can start a dispute, and when resolving the dispute, the transfer to the seller will cause the transaction to revert, causing the funds to be stuck in escrow permanently.

2. If a buyer creates an escrow contract with USDC, and uses a blacklisted address that the seller provides, the buyer tries to confirmReceipt(), which will fail due to the transfer to a blacklisted address.

Impact

Causes the funds to be permanently stuck in the contract.

Tools Used

Manual

Recommendations

• Allocate the tokens as balance in the contract when resolving the dispute, and require each party to pull from the escrow contract.