Revoke: Mitigating Ransomware Attacks Against Ethereum Validators

Recent research has shown the viability of ransomware attacks on Ethereum Proof-of-Stake (PoS) validators, whereby an attacker that compromises a validator can threaten to perform slashable actions unless a ransom is paid. Given the size of Ethereum validator stakes, validators could become an attractive target for future ransomware. However, there are currently no practical mechanisms to recover from ransomware since even validators that attempt to exit the network are retrospectively slashable during the withdrawal period. We propose Revoke, an extension of Ethereum that mitigates the impact of ransomware attacks on validators. Revoke introduces a new decentralised key revocation mechanism that enables validators to change their signing key without withdrawing their stake. A challenge for Revoke is balancing the utility of the revocation mechanism for individual validators against potential reductions in overall chain security. Revoke exposes a trade-off whereby validators cannot propose or attest to blocks during the revocation process, and hence incur inactivity penalties, but are not susceptible to much larger slashing penalties. Our design extends the Ethereum specification to capture the impact of Revoke’s core key-change mechanism on both the beacon-chain state transition function and fork-choice decisions. We also adapt the existing safety and liveness proofs of Ethereum to incorporate the effects of Revoke.