`i_price` should be used over `i_tokenContract.balanceOf(address(this)`

[codehawks-bot]

i_price should be used over i_tokenContract.balanceOf(address(this)

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/Escrow.sol#L98

Summary

i_price should be used over i_tokenContract.balanceOf(address(this)

Vulnerability Details

When the escrow contract is created, the seller should only receive i_price tokens (if there was no arbiter involved). But in the confirmReceipt() method, the seller is sent i_tokenContract.balanceOf(address(this)) tokens, which could be more or less than i_price.

Impact

The seller can be paid less/more if the contract's token balance is different thatn i_price

Tools Used

Manual Code Review

Recommendations

i_price should be used over i_tokenContract.balanceOf(address(this) when paying the amount to the seller

[0kage-eth]

• price is immutable -> and buyer pays upfront. no reason for buyer to fund the contract again
• accidental transfers by buyers or random donors funding the contract is extremely unlikely
• repeated payments (eg. scope expansion) is not considered in current implementation -> price immutability doesn't allow that flexibility