CVE-2025-65951 in entropy-derby
Summary
by MITRE • 11/25/2025
Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted bet ticket, allowing the house to decrypt immediately using fast proof verification instead of expensive VDF evaluation. This issue has been patched via commit 2d38d2f.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/26/2025
The vulnerability identified as CVE-2025-65951 affects the Inside Track / Entropy Derby horse-racing betting engine, a research-grade system that implements VDF-based timelock encryption for betting operations. This system was designed to create a secure betting environment where bettors must wait for a specified time period before their bets can be validated, ensuring fairness and preventing immediate exploitation of the betting mechanism. The flaw resides in the cryptographic implementation that governs the timelock encryption process, specifically within the Wesolowski VDF (Verifiable Delay Function) system that is central to the platform's security model.
The technical flaw stems from the failure to enforce sequential delay requirements in the VDF-based timelock encryption system. Prior to the patch implemented in commit 2d38d2f, the system allowed bettors to pre-compute the entire Wesolowski VDF calculation and include the final output in their encrypted bet tickets. This bypasses the intended security mechanism by enabling immediate decryption of bets through fast proof verification rather than the computationally expensive VDF evaluation process that should enforce the required time delay. The vulnerability represents a critical design flaw in the cryptographic protocol implementation, where the sequential nature of VDF computation was not properly enforced, allowing for parallel processing of the cryptographic functions.
The operational impact of this vulnerability is severe for the betting platform's integrity and fairness. The betting operator can immediately decrypt and validate bet tickets without waiting for the intended time delay, effectively nullifying the timelock mechanism that was designed to prevent immediate exploitation. This creates an unfair advantage for the house, as bettors who can pre-compute VDF outputs can place bets that are immediately validated and processed, undermining the entire purpose of the timelock encryption system. The vulnerability also exposes the platform to potential manipulation and gaming of the betting system, as the security model that was supposed to ensure fair play and prevent time-based advantages has been completely compromised.
The mitigation implemented through commit 2d38d2f addresses the core issue by properly enforcing sequential delay requirements in the VDF-based timelock encryption system. This fix ensures that the VDF computation cannot be pre-computed and that the house must wait for the full computational delay period to validate bets, maintaining the intended security properties of the system. The solution aligns with the principles outlined in CWE-327, which addresses weak cryptographic algorithms and improper implementation of cryptographic functions, and follows the ATT&CK framework's guidance on preventing cryptographic bypass techniques. This vulnerability demonstrates the critical importance of proper cryptographic protocol implementation, particularly when dealing with verifiable delay functions that rely on sequential computation for their security guarantees. The patch ensures that the system maintains its intended security properties and prevents the immediate decryption of bet tickets that would otherwise compromise the fairness and integrity of the betting mechanism.
This vulnerability highlights the complexity of implementing cryptographic security mechanisms in real-world applications and the importance of thorough testing and validation of cryptographic protocols. The issue represents a failure in the proper enforcement of sequential computation requirements that are fundamental to the security model of VDF-based systems, emphasizing the need for rigorous security reviews and proper implementation of cryptographic primitives in research-grade systems that handle financial transactions.