Cybersecurity Vulnerabilities

CVE-2025-65951: Entropy Derby VDF Timelock Bypass Allows Instant Bet Decryption

November 25, 2025 - By 

Overview

CVE-2025-65951 is a high-severity vulnerability affecting Inside Track / Entropy Derby, a research-grade horse-racing betting engine. This vulnerability allows the betting operator to bypass the intended delay enforced by the VDF (Verifiable Delay Function) timelock encryption system. By exploiting this flaw, the house can decrypt bet tickets immediately instead of performing the computationally expensive VDF evaluation, potentially leading to unfair advantages and manipulation of the betting process. The vulnerability has been addressed in commit 2d38d2f.

Technical Details

The vulnerability stems from the fact that bettors were able to pre-compute the entire Wesolowski VDF and include the vdfOutputHex value in their encrypted bet ticket. Instead of requiring the betting operator to execute the full VDF calculation to decrypt the bet, the presence of vdfOutputHex allows them to perform fast proof verification. This completely negates the purpose of the timelock, which is designed to introduce a delay and prevent early decryption.

Specifically, the vulnerable code failed to properly validate that the operator was actually performing the VDF calculation. By providing the pre-computed result, the operator could bypass the intended security mechanism.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-65951 a score of 8.7, indicating a HIGH severity. The vector string is not explicitly provided in the given information, but based on the impact (circumvention of a security feature leading to potential manipulation), a likely vector would include exploitation requiring no user interaction and affecting confidentiality and integrity.

Possible Impact

The exploitation of CVE-2025-65951 can have significant consequences:

  • Unfair Betting Advantage: The betting operator can gain an unfair advantage by knowing the bet information before the intended delay period.
  • Betting Manipulation: The operator could potentially manipulate the outcome of races or adjust odds based on the decrypted bet information.
  • Loss of Trust: This vulnerability erodes trust in the fairness and integrity of the Entropy Derby betting system.

Mitigation and Patch Steps

The vulnerability has been patched in commit 2d38d2f. Users of Entropy Derby are strongly advised to update their systems to include this patch. The specific mitigation likely involves preventing the submission of pre-computed VDF outputs and ensuring the operator performs the VDF calculation as intended.

To mitigate the issue, apply the patch from the commit 2d38d2f or update to a version of Entropy Derby that includes this fix. Verify the patch implementation by reviewing the code changes and confirming that it properly enforces the VDF delay.

References

GitHub Commit 2d38d2f
GitHub Security Advisory: GHSA-pm54-f847-w4mh

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *