CVE-2025-65951
📋 TL;DR
This vulnerability in the Entropy Derby betting engine allows bettors to bypass the time-delay encryption system by pre-computing VDF outputs. The betting operator can then decrypt bets immediately instead of waiting for the intended sequential delay. This affects any system running vulnerable versions of Entropy Derby.
💻 Affected Systems
- Entropy Derby (Inside Track betting engine)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Betting operators could decrypt all bets immediately, enabling front-running, manipulation of betting outcomes, and complete compromise of the fair betting system.
Likely Case
Malicious bettors could gain unfair advantage by timing bets perfectly, while operators could manipulate results for financial gain.
If Mitigated
With proper patching, the VDF system enforces the intended time delay, maintaining fair betting and preventing immediate decryption.
🎯 Exploit Status
Exploitation requires understanding of VDF systems and access to place bets. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 2d38d2f or later
Vendor Advisory: https://github.com/mescuwa/entropy-derby/security/advisories/GHSA-pm54-f847-w4mh
Restart Required: Yes
Instructions:
1. Pull latest code from repository. 2. Apply commit 2d38d2f. 3. Rebuild and redeploy the betting engine. 4. Restart all betting services.
🔧 Temporary Workarounds
Disable VDF timelock feature
allTemporarily disable the vulnerable VDF-based encryption system until patching is complete.
# Configuration setting depends on implementation
# Set use_vdf_timelock = false in config
🧯 If You Can't Patch
- Disable betting functionality entirely until patched.
- Implement additional audit logging for all bet decryption events.
🔍 How to Verify
Check if Vulnerable:
Check if your Entropy Derby version includes commit 2d38d2f. If not, you are vulnerable.Check Version:
git log --oneline | grep 2d38d2fVerify Fix Applied:
Verify that commit 2d38d2f is present in your codebase and that the VDF system now properly enforces sequential delays.📡 Detection & Monitoring
Log Indicators:
- Multiple bets decrypted in rapid succession
- VDF proof verification without corresponding evaluation time
Network Indicators:
- Unusual timing patterns in bet submission and processing
SIEM Query:
search 'bet decryption' AND 'time < expected_delay'