Cryptoeconomic theft of StarkEx funds
**TLDR**—We highlight a known blackmail attack whereby an attacker that compromises sufficiently many signing keys of a StarkEx data availability committee can cryptoeconomically steal user funds. We illustrate the attack with the [first StarkEx mainnet release for DeversiFi](https://medium.com/starkware/starks-over-mainnet-b83e63db04c0).
The attack proceeds in three steps:
1) **committee compromise**—The attacker compromises enough committee member private signing keys to pass the [committee signature verifier](https://starkware.co/starkex/docs/committee.sol.html). The attacker also acquires the StarkEx state from one of the compromised committee members.
2) **state unavailability**—The attacker advances the StarkEx state so that it is unavailable to everyone else. At this point the attacker has monopoly power to progress the state.
3) **user blackmail**—The attacker only processes user withdrawals that pay a 50% bribe.
We discuss feasibility of each of the above steps:
1) **committee compromise**—In the DeversiFi mainnet release an attacker must compromise three signing keys: the StarWare key, the DeversiFi key, and 1 of 5 keys from the other committee members (ConsenSys, Infura, Nethermind, Iqlusion, Cephalopod). Notice that the signing keys are hot keys which are notoriously hard to secure.
3) **state unavailability**—This step is easy. The attacker progresses the state with secret transactions (e.g. transactions from himself to himself), generates a corresponding state transition STARK (e.g. by renting out prover hardware on AWS), and signs the state transition with the compromised committee signing keys.
4) **user blackmail**—This step is also easy. The attacker advertises that he will process signed user withdrawals only if such withdrawals assign 50% of the funds to the attacker. Withdrawals can be made to a smart contract which trustlessly splits funds 50/50 between the user and attacker. A rational user will prefer to pay the bribe rather than have all its funds unrecoverable.
Data availability in the initial StarkEx design is handled offchain by a federation of members that use hot signing keys to sign off on every state transition. If sufficiently many of the hot signing keys are compromised an attacker can steal user funds via an indirect cryptoeconomic blackmail attack.