Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
malicious franchisee can lock funds for full duration of trust #1
After start of trust, current franchisee can set franchisee to address of a contract with fallback function that always throws, preventing withdraw from functioning. Assuming custodian does not stop uploading conversion rates (which is likely as they are designed to provide conversion rates for more than one trust), the funds will be locked for the full duration of the trust.
The most secure way would be separating withdraw into separate functions for each of the relevant parties so that they can only make their own transaction fail (as you said, always use the withdraw pattern). However, I understand how that could be suboptimal for UX purposes.
A possible workaround is changing the franchisee's--and only the franchisee's--transfer() to send(). When send() fails an exception won't be propagated, instead it returns false. This would close up the locking issue, but potentially leave a franchisee without malicious intent out of a payment if their transfer fails for whatever reason.
Perhaps the two approaches could be combined: keep track of whether franchisee's send was successful, and if it was not, allow the franchisee to withdraw the missed payment through their own withdraw function.