Receipt can't be confirmed if seller is blacklisted by the asset
Severity
Medium Risk
Summary
The function that confirms a receipt confirmReceipt attempts to transfer the award tokenContract to the seller. If the tokenContract implements a blacklist like the common USDC token, the transfer may be impossible and the confirmation will fail.
Vulnerability Details
The function which release tokenContract assets to the seller after sucessfully audit the protocol for buyer:
The function will fail if seller is blacklisted by the token.
Impact
This can both impact the buyer and the seller if the Escrow contract was declared with non-arbiter address, fund would be stuck then if one party is blacklisted.
Tools Used
Manual
Recommendations
Allow seller to specify another address by declaring a new function call changeSeller with modifier of onlySeller().
Receipt can't be confirmed if seller is blacklisted by the asset
Severity
Medium Risk
Summary
The function that confirms a receipt
confirmReceipt
attempts to transfer the award tokenContract to the seller. If the tokenContract implements a blacklist like the common USDC token, the transfer may be impossible and the confirmation will fail.Vulnerability Details
The function which release tokenContract assets to the seller after sucessfully audit the protocol for buyer:
The function will fail if seller is blacklisted by the token.
Impact
This can both impact the buyer and the seller if the Escrow contract was declared with non-arbiter address, fund would be stuck then if one party is blacklisted.
Tools Used
Manual
Recommendations
changeSeller
with modifier ofonlySeller()
.