TwentyOne

Summary

The current contract lacks logic to handle the scenario where the player and dealer have the same hand value, resulting in a tie. This can cause the game to behave incorrectly when both the player and the dealer have equal points, as the contract doesn't account for this situation.

Vulnerability Details

In the current implementation of the call function, the contract checks if the dealer busts (hand > 21) and declares the player as the winner, the player’s hand is greater than the dealer’s hand and declares the player as the winner and if neither of the above, the player loses.

However, no check is made to handle the case where both the player and dealer have the same hand value. In most Blackjack variants, this scenario is considered a push (a tie), and the player’s bet should either be returned or neither player wins. This oversight may lead to unexpected behavior or missed edge cases.

Impact

This could lead to unexpected game outcomes. In the case of a tie between the player and dealer the player might be incorrectly declared a loser or winner which violates expected behavior in Blackjack, where a tie typically results in no winner and the bet is returned to the player. This can cause the contract to fail to correctly handle the push/tie condition.

Tools Used

Manual review

Recommendations

It is highly recommended to include an additional check to properly handle the case where the player's and dealer's hands are equal. A typical approach is to return the player's bet in the event of a tie and not declare a winner or loser.

This is the suggested fix: