Access Control Issue in `dealersHand` function.
Description:
https://github.com/Cyfrin/2024-11-TwentyOne/blob/a4429168302722d14a5e5996d25d6fc5be22a899/src/TwentyOne.sol#L43
The dealersHand function lacks access control, allowing any external entity to retrieve the dealer's hand details, including the hidden card. This violates the rules of blackjack, where the dealer's second card (the "hole card") is meant to remain hidden until the appropriate phase of the game.
Impact:
Revealing the dealer's hole card gives players an unfair advantage, allowing them to make decisions with complete knowledge of the dealer's hand.
Proof of Concept:
Deploy the contract and start the blackjack game.
Call the
dealersHandfunction from an external address during the game.Observe the full details of the
dealer'shand, including the hidden card, being returned without restriction.
Tools Used:
Manual Review.
Recommended Mitigation:
Implement access control checks to ensure the dealersHand function only reveals appropriate information. For example:
(a). Restrict access to the full dealer's hand until the game concludes.
(b). Allow external callers to see only the face-up card during the game.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.