b0g0_Ctf: `withdraw` Function DOS for conttracts Due to Low-Level Call with Whitespace

[DevPelz]

Summary

The withdraw function in the BuggyNFTVault contract uses a low-level call with a whitespace payload when transferring ETH to the user. This approach triggers the fallback function of a recipient contract, which can lead to issues if the recipient contract does not have a fallback function. Contracts without a fallback function will not be able to receive the withdrawal, causing a denial of service (DoS) for those contracts.

Vulnerability Details

The withdraw function uses a low-level call with a whitespace payload to transfer ETH to the caller:

function withdraw(uint256 tokenId) external {
    require(ownerOf(tokenId) == msg.sender, "Only the owner can withdraw");

    // Burn the NFT to complete the withdrawal process.
    _burn(tokenId);
    deposits[msg.sender] -= depositRequired;

    (bool success, ) = msg.sender.call{value: depositRequired}(" "); // @audit whitespace
    require(success, "Transfer failed");
}

Impact

• Denial of Service (DoS): Contracts that do not have a fallback function will be unable to receive the ETH transfer. This can lead to users who deploy or interact with contracts without a fallback function being unable to withdraw their funds.

[BogoCvetkov]

Valid! But another auditor submitted first -> https://github.com/Egis-Security/CTF_Challenge/issues/30