Summary

When the dealersHand function is called, if a K card is drawn, the value added to the deck is 0 instead of 10, as required by blackjack rules.

The value of the K card is 13, 26, 39, or 52. When any of these values is divided by 13, the result is 0 due to the modulus operation (% 13). This causes an issue where the K card incorrectly returns a value of 0 instead of the expected 10.

Vulnerability Details

This happens because the following calculation:
uint256 cardValue = dealersDeck[player].dealersCards[i] % 13;
returns 0 for cards with values 13, 26, 39, or 52.

When the K card is drawn, it should return a value of 10, as it does in the player's draw function and in accordance with official blackjack rules. Currently, due to the modulus operation (% 13), it returns a value of 0, which causes an inconsistency in the game logic.

Impact

This bug violates the fundamental rules of blackjack and undermines the fairness of the game. For example:

• The player stands with a total of 18.

• The dealer draws J(10) and K(10), which should total 20, resulting in a win for the dealer and a loss for the player.

• However, due to the bug, the calculation becomes J(10) + K(0) = 10. This forces the dealer to continue drawing cards unnecessarily, leading to unfair outcomes.

Tools Used

Manual code review

Recommendations

To resolve this issue, the condition should be updated from if (cardValue >= 10) to if (cardValue == 0 || cardValue >= 10). This ensures that K cards (13, 26, 39, 52) are correctly assigned a value of 10, aligning with the rules of blackjack, rather than mistakenly being assigned a value of 0.

Corrected Code Based on the Recommendation: