Oh, and it's even worse. As a miner, I see a 50 BTC pot, so I create but do not broadcast a 5000 BTC bet. I try mining block xxx000 including my secret bet transaction. If I manage it, I check whether it wins (it probably does) and broadcast the block if it does. If it doesn't win, I don't broadcast the block, so I lose the 25 BTC block reward, but I never lose my 5000 BTC bet. So in the event that I am able to mine that block, I have a 99% chance of winning 75 BTC and a 1% chance of losing 25 BTC. That's very +EV since I've eliminated the possibility of losing anything but the block reward.
Excellent observation, and something I missed. I believe an powerful fix for this would be that transactions in "draw block" are not part of the draw. So in concrete terms, the draw still is decided by block 1233000 however any transactions in block 1233000 are part of draw 2, not draw 1.
A (very large) miner could still use a variant of the attack to privately withhold a xxx999 block with the 5000 BTC transaction, and then attempt to privately mine the xxx000 block but now it's getting much, much harder (with a larger penalty for failure).
I'll do some benchmarking on a high-end computer, and try figure out some parameters to slow down verification to prevent any
