TwentyOne

First Flight #29

Beginner FriendlyGameFiFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

[H-05] Dealer Stand Logic Violates Standard Blackjack Rules

iepathos

Summary

The TwentyOne contract implements non-standard dealer stand rules where the dealer might continue hitting on hands of 17-20. This violates fundamental Blackjack rules where dealers must stand on 17 or higher, significantly impacting game fairness and player strategy.

Vulnerability Details

Location: src/TwentyOne.sol

https://github.com/Cyfrin/2024-11-TwentyOne/blob/main/src/TwentyOne.sol#L142-L157

The contract randomly determines when the dealer will stand, rather than following standard Blackjack rules:

// Calculate the dealer's threshold for stopping (between 17 and 21)

uint256 standThreshold = (uint256(

keccak256(

abi.encodePacked(block.timestamp, msg.sender, block.prevrandao)

)

) % 5) + 17;

// Dealer draws cards until their hand reaches or exceeds the threshold

while (dealersHand(msg.sender) < standThreshold) {

uint256 newCard = drawCard(msg.sender);

addCardForDealer(msg.sender, newCard);

}

In standard Blackjack:

Dealers must stand on any hand of 17 or higher
This is a fixed rule, not randomized
Players rely on this rule for strategic decisions

The current implementation:

Randomly sets stand threshold between 17 and 21
Dealer might hit on 17-20 when they should stand
Creates unpredictable and non-standard gameplay

Impact

Game Fairness
- Violates fundamental Blackjack rules
- Players cannot use standard Blackjack strategy
- Creates additional house edge not present in standard rules
Economic Impact
- Players may lose when they should win under standard rules
- Strategy becomes unreliable due to non-standard dealer behavior
- Every game is affected by this rule deviation
Player Trust
- Breaks expected game mechanics
- May be perceived as intentionally unfair
- Could lead to player dissatisfaction and reduced protocol usage

Tools Used

Manual Code Review
Standard Blackjack Rule Comparison

Recommendations

Implement Standard Dealer Rules:

function call() public {

require(

playersDeck[msg.sender].playersCards.length > 0,

"Game not started"

);

uint256 playerHand = playersHand(msg.sender);

// Dealer must hit on 16 or below, stand on 17 or above

while (dealersHand(msg.sender) < 17) {

uint256 newCard = drawCard(msg.sender);

addCardForDealer(msg.sender, newCard);

}

uint256 dealerHand = dealersHand(msg.sender);

// Rest of the function...

}

Documentation Updates:
- Clearly document dealer stand rules
- Remove references to randomized stand threshold
- Align documentation with standard Blackjack rules
Testing:
- Add test cases verifying dealer stands on 17+
- Verify dealer hits on 16 or below
- Test edge cases around the stand threshold

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

The Dealer's Play - Dealer must stand on 17

Rewards breakdown

nSLOC

147

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.