Submission Details
Severity:
Dealer's Hand Cannot Be Retrieved
Summary: Dealer's Hand Cannot Be Retrieved
Vulnerability Details: In the current implementation of the TwentyOne contract, it is not possible to reliably retrieve the dealer's hand because the dealer's cards are stored in dealersDeck[player], and this mapping is deleted in the endGame function. As a result, after the game ends, the dealer's hand is permanently removed from the contract's state.
Impact:
Players cannot verify the fairness of the game's outcome.
Transparency is reduced, which could lead to trust issues between the contract owner and players.
Tools Used: Foundry, remix
Recommendations: Do not delete the dealer's hand in the endGame function. Instead, retain the cards in dealersDeck[player] until the player explicitly starts a new game.
function endGame(address player, bool playerWon) internal {
delete playersDeck[player].playersCards; // Clear the player's cards
delete availableCards[player]; // Reset the deck
if (playerWon) {
payable(player).transfer(2 ether); // Transfer the prize to the player
emit FeeWithdrawn(player, 2 ether); // Emit the prize withdrawal event
}
// Do not delete dealer's cards here
}
Updates
Rewards breakdown
nSLOC
147This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.