TwentyOne

Summary

The vulnerability concerns the availableCards mapping. Although marked as private, the data it holds can still be read on-chain, revealing the number and types of cards available to specific addresses. This flaw allows players to predict deck composition, gain unfair advantages, and undermine the game's fairness.

Due to high impact on the game and easy acces this exploit is classified High.

Vulnerability Details

The availableCards mapping is defined as:

While declared as private, this does not prevent its data from being accessible on-chain. Blockchain transparency allows anyone to query contract storage and retrieve the mapping's state.

Exploitable Scenarios:

1. Deck Composition Analysis: Attackers can determine the remaining cards in the deck or cards associated with other players.

2. Strategic Exploits: Knowledge of deck composition allows cheaters to manipulate gameplay and gain unfair advantages.

3. Game Integrity Loss: Public exposure of card data undermines player trust and the fairness of the game.

Impact

attacker can easily read the data on chain with tools (eg etherscan) leading many exploit scenario such as :

1. Deck Composition Analysis: Attackers can determine the remaining cards in the deck or cards associated with other players.

2. Strategic Exploits: Knowledge of deck composition allows cheaters to manipulate gameplay and gain unfair advantages.

3. Game Integrity Loss: Public exposure of card data undermines player trust and the fairness of the game.

Tools Used

• manual review

Recommendations

Avoid On-Chain Storage of Sensitive Game Logic:

• Store card data off-chain, and use cryptographic proofs or signed messages to validate gameplay on-chain.

Implement Obfuscation Techniques:

• Store hashed card values on-chain instead of raw card data. Use off-chain computations to reveal card values as needed.