TwentyOne
First Flight #29
Beginner FriendlyGameFiFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

[H-07] Natural Blackjack (21 with First Two Cards) Not Handled Correctly

iepathos

Summary

The TwentyOne contract fails to implement special handling for natural Blackjack (an initial two-card hand totaling 21). In standard Blackjack, a natural 21 automatically wins against any non-Blackjack hand, even if the dealer also reaches 21 with more cards. The current implementation incorrectly treats a natural 21 the same as any other 21, allowing the dealer to tie or win with a non-natural 21.

Vulnerability Details

Location: src/TwentyOne.sol

https://github.com/Cyfrin/2024-11-TwentyOne/blob/main/src/TwentyOne.sol#L89-L99

The startGame() function doesn't check for Blackjack after initial deal:

function startGame() public payable returns (uint256) {
address player = msg.sender;
require(msg.value >= 1 ether, "not enough ether sent");
initializeDeck(player);
uint256 card1 = drawCard(player);
uint256 card2 = drawCard(player);
addCardForPlayer(player, card1);
addCardForPlayer(player, card2);
return playersHand(player);
// No check for natural Blackjack (21 with first two cards)
}

The call() function treats all 21s the same:

function call() public {
// ... no special handling for natural Blackjack vs regular 21
if (dealerHand > 21) {
emit PlayerWonTheGame("Dealer went bust, players winning hand: ", playerHand);
endGame(msg.sender, true);
} else if (playerHand > dealerHand) {
emit PlayerWonTheGame("Dealer's hand is lower, players winning hand: ", playerHand);
endGame(msg.sender, true);
}
}

In standard Blackjack:

  • Natural Blackjack (21 with first two cards) automatically wins against any non-Blackjack hand

  • Only dealer Blackjack can tie player Blackjack

  • This is a fundamental rule affecting game fairness and strategy

Impact

  1. Game Fairness

    • Violates standard Blackjack rules

    • Players can unfairly lose or tie when they should win

    • Natural 21 incorrectly treated same as multi-card 21

  2. Economic Impact

    • Players lose guaranteed wins when dealer hits to 21

    • Affects every natural Blackjack hand dealt

    • Significantly reduces player expected value

  3. Strategic Impact

    • Players cannot implement standard Blackjack strategy

    • Changes optimal betting patterns

    • Affects player decisions on insurance and splitting

Tools Used

  • Manual Code Review

  • Standard Blackjack Rule Comparison

Recommendations

  1. Add Natural Blackjack Detection:

function hasNaturalBlackjack(address player) internal view returns (bool) {
return playersDeck[player].playersCards.length == 2 &&
playersHand(player) == 21;
}

  1. Update Win Conditions:

if (hasNaturalBlackjack(msg.sender)) {
if (!hasNaturalBlackjack(dealer)) {
// Player Blackjack beats any non-Blackjack dealer hand
endGame(msg.sender, true);
} else {
// Push if both have Blackjack
endGame(msg.sender, false);
}
return;
}

  1. Add New Event:

event NaturalBlackjack(address player);
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Natural Blackjack not implemented

Naturals. If a player's first two cards are an ace and a "ten-card" (a picture card or 10), giving a count of 21 in two cards, this is a natural or "blackjack." If any player has a natural and the dealer does not, the dealer immediately pays that player one and a half times the amount of their bet.

Appeal created

iepathos Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Natural Blackjack not implemented

Naturals. If a player's first two cards are an ace and a "ten-card" (a picture card or 10), giving a count of 21 in two cards, this is a natural or "blackjack." If any player has a natural and the dealer does not, the dealer immediately pays that player one and a half times the amount of their bet.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!