1

I am looking through localethereum smart contract: https://etherscan.io/address/0x09678741bd50c3e74301f38fbd0136307099ae5d#code and I have trouble understanding why what I am seeing is not a vulnerability.

It is a p2p escrow service: seller sends ETH to smart contract, ETH gets locked up in escrow, after some conditions are met between buyer and seller, seller can release ETH from escrow to the buyer by calling a method in that smart contract.

Sometimes there might be a dispute between buyer and seller - at that point escrow gets locked and it is up to administrator to resolve the dispute and release ETH to the rightful person using the following function:

function resolveDispute(
  /**
   * Called by the arbitrator to resolve a dispute
   * Requires the signed ACTION_DISPUTE actionByte from either the buyer or the seller
   */
  bytes16 _tradeID,
  address _seller,
  address _buyer,
  uint256 _value,
  uint16 _fee,
  uint8 _v,
  bytes32 _r,
  bytes32 _s,
  uint8 _buyerPercent
) external onlyArbitrator {
    address _signature = ecrecover(keccak256(_tradeID, ACTION_DISPUTE), _v, _r, _s);
    require(_signature == _buyer || _signature == _seller);

    var (_escrow, _tradeHash) = getEscrowAndHash(_tradeID, _seller, _buyer, _value, _fee);
    require(_escrow.exists);
    require(_buyerPercent <= 100);

    uint256 _totalFees = _escrow.totalGasFeesSpentByRelayer + GAS_doResolveDispute;
    require(_value - _totalFees <= _value); // Prevent underflow
    feesAvailableForWithdraw += _totalFees; // Add the the pot for localethereum to withdraw

    delete escrows[_tradeHash];
    DisputeResolved(_tradeHash);
    _buyer.transfer((_value - _totalFees) * _buyerPercent / 100);
    _seller.transfer((_value - _totalFees) * (100 - _buyerPercent) / 100);
}

My problem is at the bottom: if _buyer or _seller is a malicious user and his address here is in fact a contract, transfer call would execute fallback method in that contract which could throw and cause resolveDispute() call in localethereum contract to throw and never be able to complete. This would lock ETH in escrow forever.

What am I missing here and how is that not a vulnerability?

dawka
  • 31
  • 2
  • You should probably report or ask them about it. It only makes sense for the buyer to lock funds as an DoS attack. But a malicious buyer should have been considered when designing the contracts. – Ismael May 11 '18 at 02:29

0 Answers0