TwentyOne
First Flight #29
Beginner FriendlyGameFiFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

[H-07] Natural Blackjack (21 with First Two Cards) Not Handled Correctly

iepathos

Summary

The TwentyOne contract fails to implement special handling for natural Blackjack (an initial two-card hand totaling 21). In standard Blackjack, a natural 21 automatically wins against any non-Blackjack hand, even if the dealer also reaches 21 with more cards. The current implementation incorrectly treats a natural 21 the same as any other 21, allowing the dealer to tie or win with a non-natural 21.

Vulnerability Details

Location: src/TwentyOne.sol

https://github.com/Cyfrin/2024-11-TwentyOne/blob/main/src/TwentyOne.sol#L89-L99

The startGame() function doesn't check for Blackjack after initial deal:

function startGame() public payable returns (uint256) {
address player = msg.sender;
require(msg.value >= 1 ether, "not enough ether sent");
initializeDeck(player);
uint256 card1 = drawCard(player);
uint256 card2 = drawCard(player);
addCardForPlayer(player, card1);
addCardForPlayer(player, card2);
return playersHand(player);
// No check for natural Blackjack (21 with first two cards)
}

The call() function treats all 21s the same:

function call() public {
// ... no special handling for natural Blackjack vs regular 21
if (dealerHand > 21) {
emit PlayerWonTheGame("Dealer went bust, players winning hand: ", playerHand);
endGame(msg.sender, true);
} else if (playerHand > dealerHand) {
emit PlayerWonTheGame("Dealer's hand is lower, players winning hand: ", playerHand);
endGame(msg.sender, true);
}
}

In standard Blackjack:

  • Natural Blackjack (21 with first two cards) automatically wins against any non-Blackjack hand

  • Only dealer Blackjack can tie player Blackjack

  • This is a fundamental rule affecting game fairness and strategy

Impact

  1. Game Fairness

    • Violates standard Blackjack rules

    • Players can unfairly lose or tie when they should win

    • Natural 21 incorrectly treated same as multi-card 21

  2. Economic Impact

    • Players lose guaranteed wins when dealer hits to 21

    • Affects every natural Blackjack hand dealt

    • Significantly reduces player expected value

  3. Strategic Impact

    • Players cannot implement standard Blackjack strategy

    • Changes optimal betting patterns

    • Affects player decisions on insurance and splitting

Tools Used

  • Manual Code Review

  • Standard Blackjack Rule Comparison

Recommendations

  1. Add Natural Blackjack Detection:

function hasNaturalBlackjack(address player) internal view returns (bool) {
return playersDeck[player].playersCards.length == 2 &&
playersHand(player) == 21;
}

  1. Update Win Conditions:

if (hasNaturalBlackjack(msg.sender)) {
if (!hasNaturalBlackjack(dealer)) {
// Player Blackjack beats any non-Blackjack dealer hand
endGame(msg.sender, true);
} else {
// Push if both have Blackjack
endGame(msg.sender, false);
}
return;
}

  1. Add New Event:

event NaturalBlackjack(address player);
Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Natural Blackjack not implemented

Naturals. If a player's first two cards are an ace and a "ten-card" (a picture card or 10), giving a count of 21 in two cards, this is a natural or "blackjack." If any player has a natural and the dealer does not, the dealer immediately pays that player one and a half times the amount of their bet.

Appeal created

iepathos Submitter
11 months ago
inallhonesty Lead Judge
11 months ago
inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Natural Blackjack not implemented

Naturals. If a player's first two cards are an ace and a "ten-card" (a picture card or 10), giving a count of 21 in two cards, this is a natural or "blackjack." If any player has a natural and the dealer does not, the dealer immediately pays that player one and a half times the amount of their bet.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.