Seller may receive the wrong amount

[codehawks-bot]

Seller may receive the wrong amount

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-escrow/blob/main/src/Escrow.sol#L109

Summary

Seller may receive the wrong amount

Vulnerability Details

The issue is in the resolveDispute() method. If the contract was funded multiple times, or if the contract address somehow had the wrong amount than i_price, then the seller may receive less/more as a conflict is resolved by the arbiter after the fees.

Lets assume that the i_arbiterFee is set to 5 tokens, and that i_price is set to 50 tokens. Lets also assume that the Escrow contract address was funded with 500 tokens somehow, either by retries or my mistake. Now, then the contract is created, the total token balance of the contract become 555 tokens.

If the arbiter decides that the buyer should get 5 tokens as refund, and calls resolveDispute() with it then the buyer gets 5 tokens, the arbiter gets 5 tokens, but the seller gets all the remaining token balance of the contract, which will be 545 tokens (555 - 5 - 5). But the seller was only supposed to receive 50 tokens.

Impact

Because the complete balance is sent to the seller, and if the arbiter settles a dispute, then the seller might get paid more or in full.

Tools Used

Manual Code Review

Recommendations

Update the resolveDispute() method to send the following amounts:

• i_arbiter to the arbiter
• i_price - buyerAward - i_arbiter to the seller
• i_tokenContract.balanceOf(address(this)) + buyerAward to the buyer

[0kage-eth]

• price is immutable -> and buyer pays upfront. no reason for buyer to fund the contract again
• accidental transfers by buyers or random donors funding the contract is extremely unlikely
• repeated payments (eg. scope expansion) is not considered in current implementation -> price immutability doesn't allow that flexibility