CVE-2025-65951

Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted...

CVE-2025-65951

Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted...

EUVD-2025-199528

Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted...

CVE-2025-65951

CVE-2025-65951 affects Inside Track / Entropy Derby. Before commit 2d38d2f , the VDF-based timelock encryption did not enforce sequential delay against the betting operator, enabling bettors to pre-compute the Wesolowski VDF and include the output in encrypted bets. This allowed the house to decr...

CVE-2025-65951 Inside Track / Entropy Derby Timelock Encryption Bypassed via Pre-Computed VDF Output Leakage

Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted...

CVE-2025-65951 Inside Track / Entropy Derby Timelock Encryption Bypassed via Pre-Computed VDF Output Leakage

Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted...

PT-2025-47978

Name of the Vulnerable Software and Affected Versions Inside Track / Entropy Derby versions prior to commit 2d38d2f Description The VDF-based timelock encryption system in Inside Track / Entropy Derby fails to enforce sequential delay against the betting operator. This allows bettors to pre-compu...

Time delay for operations scheduled by the community multisig (CM) in timelock pose a risk to the protocol and it users

Lines of code Vulnerability details Impact Time sensitive operations done by the CM, like taking actions in case of an security exploit, are subject to the minDelay of the Timelock contract. Such operations are time sensitive and executing them several minutes later can result in significant loss...

CM can delegatecall to any address and bypass all restrictions

Lines of code Vulnerability details Impact The GuardCM contract is designed to restrict the Community Multisig CM actions within the protocol to only specific contracts and methods. This is achieved by implementing a checkTransaction method, which is invoked by the CM GnosisSafe before every...

Decisionmaking in the DAO is to slow which results in the DAO not been able to use the CANCELLER_ROLE properly

Lines of code Vulnerability details Impact The time that takes the DAO to vote on a proposal is to long for the DAO to be a proper address to cancel scheduled operations. That is why no scheduled operation will ever be cancelled and potentially malicious operations from security exploits will be...

CM can exploit a pause in GuardCM to gain permanent unrestricted access

Lines of code Vulnerability details Impact The GuardCM contract is designed to restrict the Community Multisig CM actions within the protocol to only specific contracts and methods. Under specific circumstances, the protocol allows the guard to be paused, which temporarily pauses the guard and...

decreaseVotingPower() can be front-ran by an attacker to claim an amount of assets from the TokenDistributor more than he should be able to claim or withdraw more assets than he should be able to claim through rageQuit()

Lines of code Vulnerability details Overview of the vulnerability / PoC The function decreaseVotingPower in PartyGovernanceNFT does not have a front-running protection against a user claiming his share of a distribution or a user ragequitting using a token which is going to get it's voting power...

MEV bot can frontrun user's repayment to liquidate user first when the OmniPool is unpaused

Lines of code Vulnerability details Impact MEV bot can frontrun user's repayment to liquidate user first when the OmniPool is unpaused Proof of Concept this report tries to combine a few issue 1. when OmniPool is paused, interest is still accuring 2. when OmniPool is paused, user cannot repay 3...

Permissive owner access allows misleading URI changes, impacting user trust.

Lines of code Vulnerability details Impact setUri function is only restricted to the contract owner, this could allow the owner to update the URI and make changes that users did not anticipate. The setUri function allows the owner to update the URI to anything they want. For example, they could...

guardian multisig should be timelock

Lines of code Vulnerability details Impact Per the rUSDYFactory.sol, The Natspec states the guardian address is a multsig address which will be passed in constructor during deployement of factory contract. @notice guardian address in constructor is a msig. and constructoraddress guardian guardian...

vulnerability due to the nonce rolling over and generating duplicate salts

Lines of code Vulnerability details Impact An attacker could take the transaction data from the original proposal and re-submit it to the L2 timelock with the same salt. This would get executed again since the salt matches, allowing the attacker to replay the state change. Proof of Concept The...

The upgrade executor is granted the canceller role instead of the new emergency security council.

Lines of code Vulnerability details Impact In L1SCMgmtActivationAction.sol, the perform function is not granting role to the new emergency security council. It instead grants it to the upgrade executor. This logic doesn't align with the function inline comment and can prevent the perform function...

The treasury address can be updated by the contract owner to point to a malicious address after deployment

Lines of code ttps://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.solL58 Vulnerability details Impact Any fees or funds sent to the treasury could potentially be stolen or manipulated Proof of Concept The treasury address can be updated b...

Reentrancy vulnerability in Singularity.execute

Lines of code Vulnerability details Impact This vulnerability could allow an attacker to withdraw funds from the Singularity contract. This could result in a loss of funds for the user. Proof of Concept The Singularity.execute function has external calls inside a loop. This could potentially lead...

Reentrancy vulnerability in BigBang.execute

Lines of code Vulnerability details Impact This vulnerability could allow an attacker to withdraw funds from the BigBang contract. This could result in a loss of funds for the user. Proof of Concept The BigBang.execute function has external calls inside a loop. This could potentially lead to...