search

Cyfrin / 2023-07-escrow

17 stars 12 forks source link

Arbiter cannot be added if one wasnt added at the time of the contract creation, or if the arbiter suddenly disappears #875

Closed codehawks-bot closed 11 months ago

codehawks-bot commented 11 months ago

Arbiter cannot be added if one wasnt added at the time of the contract creation, or if the arbiter suddenly disappears

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/Escrow.sol

Summary

Arbiter cannot be added if one wasnt added at the time of the contract creation

Vulnerability Details

Lets say the escrow was created with funds, but without an arbiter. Now, if there is any issue between the seller and the buyer, and if they need an aribter, then nothing can be done. The buyer will either have to transfer the tokens despite not being happy with the services, or they can just deprive the seller of compensation for the service that the seller provided, making the seller at a loss.

An arbiter can also be unavailable due to various reasons, and this then becomes the same as having no arbiter.

Impact

In case of dissatisfied buyer/seller, the buyer and seller conflict cannot be resolved, and can lead to dissatisfied seller/buyer without any mediation.

Tools Used

Manual Code Review

Recommendations

Add methods which can add/update an arbiter so that an arbiter can be added/updated after both parties approve of an arbiter.

0kage-eth commented 11 months ago

If seller or buyer is worried about such scenario, they would never agree to contract w/o arbiter