There are a few logical errors in how this escrow works which can cause unexpected issue in the protocol functioning.
Vulnerability Details
Logic error 1
It is assumed that when deploying a new escrow price is meant to be paid to the seller but when the dispute happens it’s always the seller paying for the arbiter charges.
Logic error 2
The buyer can set the arbiter fee more than the price and if an issue is raised it will always result in a DOS when arbitrer tries to resolve the issue. These claims are made on the grounds that the arbiter is trusted and the buyer and seller are not.
Impact
This type of errors can lead to the intransparency and make the protocol less trust worthy.
Tools Used
manual review
Recommendations
Error 1 Mitigation
Make the caller pay for the arbiter charge amount when Escrow.initiateDispute() is being called.
Error 2 Mitigation
Arbiter fees should not be more than some % of the price and should be required when deploying a new escrow.
Escrow Business Logic Error.
Severity
High Risk
Summary
There are a few logical errors in how this escrow works which can cause unexpected issue in the protocol functioning.
Vulnerability Details
Logic error 1
It is assumed that when deploying a new escrow price is meant to be paid to the seller but when the dispute happens it’s always the seller paying for the arbiter charges.
Logic error 2
The buyer can set the arbiter fee more than the price and if an issue is raised it will always result in a DOS when arbitrer tries to resolve the issue. These claims are made on the grounds that the arbiter is trusted and the buyer and seller are not.
Impact
This type of errors can lead to the intransparency and make the protocol less trust worthy.
Tools Used
manual review
Recommendations
Error 1 Mitigation
Make the caller pay for the arbiter charge amount when
Escrow.initiateDispute()
is being called.Error 2 Mitigation
Arbiter fees should not be more than some % of the price and should be required when deploying a new escrow.