StarkEx Validium ransom attack
**TLDR**—We highlight a known ransom attack whereby an attacker that compromises sufficiently many signing keys of a StarkEx Validium data availability committee can cryptoeconomically steal user funds. We illustrate the attack with the [first StarkEx Validium mainnet release for DeversiFi](https://medium.com/starkware/starks-over-mainnet-b83e63db04c0).
The attack proceeds in three steps:
1) **committee compromise**—The attacker compromises enough committee member private signing keys to pass the [committee signature verifier](https://starkware.co/starkex/docs/committee.sol.html). The attacker also acquires the StarkEx Validium state from one of the compromised committee members.
2) **state unavailability**—The attacker advances the StarkEx Validium state so that it is unavailable to everyone else. At this point the attacker has monopoly power to progress the state.
3) **ransom attack**—The attacker only processes user withdrawals that pay a 50% bribe.
We discuss feasibility of each of the above steps:
1) **committee compromise**—In the DeversiFi mainnet release an attacker must compromise three signing keys: the StarWare key, the DeversiFi key, and 1 of 5 keys from the other committee members (ConsenSys, Infura, Nethermind, Iqlusion, Cephalopod). Notice that the signing keys are hot keys which are notoriously hard to secure.
3) **state unavailability**—This step is easy. The attacker progresses the state with secret transactions (e.g. transactions from himself to himself), generates a corresponding state transition STARK (e.g. by renting out prover hardware on AWS), and signs the state transition with the compromised committee signing keys.
4) **ransom attack**—This step is also easy. The attacker advertises that he will process signed user withdrawals only if such withdrawals assign 50% of the funds to the attacker. Withdrawals can be made to a smart contract which trustlessly splits funds 50/50 between the user and attacker. A rational user will prefer to pay the bribe rather than have all its funds unrecoverable.
Data availability in the initial StarkEx Validium design is handled offchain by a federation of members that use hot signing keys to sign off on every state transition. If sufficiently many of the hot signing keys are compromised an attacker can mount a ransom attack to cryptoeconomically steal funds from rational users.