Lack of Post-Game Dealer Hand Transparency in TwentyOne.sol
Summary
The TwentyOne contract fails to provide players with visibility into the dealer’s final hand at the end of the game. This issue arises because the dealer’s card array (dealersDeck) is reset during the endGame function, resulting in the getDealerCards function returning an empty array. This lack of transparency prevents players from verifying the fairness of the game outcomes.
Vulnerability Details
-
Data Deletion in
endGame:-
During the
endGamefunction, the dealer’s cards are deleted in linedelete dealersDeck[player].dealersCards;and as a result, the dealer’s final hand is no longer retrievable after the game ends.function endGame(address player, bool playerWon) internal {delete playersDeck[player].playersCards; // Clear the player's cardsdelete dealersDeck[player].dealersCards; // Clear the dealer's cardsdelete availableCards[player]; // Reset the deck// @-Audit should win twice the bet amountif (playerWon) {payable(player).transfer(2 ether); // Transfer the prize to the playeremit FeeWithdrawn(player, 2 ether); // Emit the prize withdrawal event}}
-
Impact
Reputation Risk: The absence of transparency could lead to reputational damage for the contract and its creators.
Player Frustration: Honest players may feel cheated or lose confidence in the fairness of the system, leading to reduced engagement.
Tools Used
Manual Code Review
Recommendations
Emit the dealer’s and player’s final hands in an event at the end of each game: since events are logged on the blockchain and cannot be altered or deleted, events ensure an unchangeable and publicly verifiable record of the game outcome.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.