Effect of Zero Arbiter fees

Severity

High Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/Escrow.sol#L122C8-L122C8

Summary

The seller might be fooled by the buyer by setting the arbiter fees equal to zero.

Vulnerability Details

In the escrow contract's resolveDispute function, the arbiter is paid fees only when i_arbiterFee exceeds zero. There is no stipulation that forbids setting the arbiter fees to zero. Thus, in this situation, it would be mutually beneficial for both the buyer and seller to settle their disputes directly without involving the arbiter fee and share the award after resolving the issue between themselves. Since the seller reviews the buyer's specified details before agreeing to provide services, they would be aware of the possibility of the arbiter fees being set to zero.

Impact

With the arbiter fees set to zero, there is a possibility that the arbiter will not take action to resolve the dispute, leaving it unresolved. In such a scenario, the buyer could exploit this situation to deceive the seller and this is so because if the seller decides to initiate the resolveDispute function, the dispute might still remain unresolved,arbiter might not resolve the issue potentially resulting in a financial loss for the seller. One scenario is that the seller not being paid the right amount after the buyer calls the confirmReceipt function.One more impact it can have is arbiter might not check the arbiter fee and perform the resolveDispute function expecting fees but he won't receive any fees.This can result in loss of funds for the arbiter as he/she has to pay gas to call the resolveDispute function and expecting the arbiter fees but might not get any fees.

Tools Used

Manual Review

Recommendations

Set a limit on the arbiter fees

Cyfrin / 2023-07-escrow