TwentyOne
First Flight #29
Beginner FriendlyGameFiFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Anyone can freely view the players' and the dealer's hands

hyer

Summary

Anyone can view the players' and the dealer's hands. This is a potential cheating behavior

Vulnerability Details

https://github.com/Cyfrin/2024-11-TwentyOne/blob/a4429168302722d14a5e5996d25d6fc5be22a899/src/TwentyOne.sol#L175-L186
As we can see above, the function is public. Although the view modifier restricts state changes, it can still be called freely to view the players' and dealer's hands.

Impact

  • If a player calls the getDealerCards function and passes in the dealer's address, they will be able to see the dealer's hand. The player can then decide whether to hit based on the value of the dealer's hand.

  • If the dealer calls the getPlayerCards function, they can know whether the player's hand value is greater than their own, and then manipulate the outcome of the game

Tools Used

Manual inspection

Recommendations

  • Implement access control restrictions for these two functions

function getPlayerCards(
address player
) public view returns (uint256[] memory) {
require(msg.sender == player, "Only the player can access this");
return playersDeck[player].playersCards;
}
function getDealerCards(
address player
) public view returns (uint256[] memory) {
require(msg.sender == dealer, "Only the dealer can access this");
_;
return dealersDeck[player].dealersCards;
}
}

  • You can design the game logic to reveal the hands only at specific stages, such as after the game ends or once all players have made their decisions. For example, reveal all hands after the player has completed their actions, or reveal the dealer's cards only after the dealer's turn

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.