Logic of playersHand() and dealersHand() does not emulate the real-world scenario of calculating the value of Ace card
Summary
The player does not have as much hand flexibility as the playersHand() function defaults an Ace card to be valued at 10, instead of emulated the real-world rule of Blackjack, whereby Ace can either be valued at 11 or 1.
Additionally, the dealersHand() function is also handling the Ace strangely and not emulated the real-world rule - instead, the dealer can even draw a card with value 0.
Vulnerability Details
playersHand() function calculate the playerTotal as such:
In a standard deck of cards:
Each rank (Ace, 2, 3, ..., King) repeats across four suits.
% 13 makes sure that cards 13, 26, 39 and 52 all map to the same rank (Ace), as their remainders when divided by 13 are the same.
However, in the code snippet above, if cardValue % 13 = 0, it adds 10 to the playerTotal. There is no decision made available to player whether they want their Ace to be value 11 or 1.
Additionally, dealersHand() also has strange logic that does not emulate real-world rules, as seen below:
The logic also does not allow dealer to select if their Ace is valued 11 or 1. On top of that, assuming the dealer has a cardValue = 52%13 = 0.
The else statement will then add 0 to the dealerTotal.
Impact
Results in confusing user experience which can be seen as unfair due to the lack of hand flexibility.
Tools Used
Manual Review
Recommendations
Update logic of playersHands() and dealersHands() to emulate a real game of Blackjack.
Appeal created
Wrong ace value
Asymmetric calculation of hands is rigged in the player`s favor.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.