Change Details

This patch limits the peer manager's orphan proof tracking since orphans are not guaranteed to have valid UTXOs nor connected nodes. Orphaned proofs are not common, so a low limit was selected. The limit may be exceeded in the case of reorgs since those proofs were valid in the past. When the limit has been reached (or exceeded), no new orphans are accepted except replacements for proofs already in the pool. While this is not desirable for honest actors, it prevents malicious actors from draining the orphan pool during a reorg, protecting nodes from losing their (potentially) valid proof set.

This patch limits the peer manager's orphan proof tracking since orphans are not guaranteed to have valid UTXOs nor connected nodes. Orphaned proofs usefulness varies by scenario: A) IBD - We want to collect proofs as we start to establish connections to help us build quorum. It's important to keep in mind these proofs cannot be trusted until their UTXOs are valid, so we rely on first-seen principle to admit orphans into the pool up to the limit. B) Reorg - We want to collect ALL proofs getting reorged so that we can reconcile them regardless of orphan pool limit. If we do not do this, it's trivial to force nodes to drop potentially-valid proofs during a reorg. C) Proof received before UTXO - This is an uncommon occurrence with little downside to dropping the proof, so we rely on best-effort (ie. the pool not being full). This patch implements the orphan proof pool limit in such a way that memory is reasonably bounded under all three scenarios regardless of the number/resourcing of malicious actors, with that bound being stricter for orphans received from the network.

This patch limits the peer manager's orphan proof tracking since orphans are not guaranteed to have valid UTXOs nor connected nodes. Orphaned proofs are not common, so a low limit was selected. The limit may be exceeded in the case of reorgs since those proofs were valid in the past.usefulness varies by scenario: When the limit has been reached (or exceeded),A) IBD - We want to collect proofs as we start to establish connections to help us build quorum. no new orphans are accepted except replacements for proofs already in the pool.It's important to keep in mind these proofs cannot be trusted until their UTXOs are valid, While thisso we rely on first-seen principle to admit orphans into the pool up to the limit. is not desirable for honest actorB) Reorg - We want to collect ALL proofs getting reorged so that we can reconcile them regardless of orphan pool limit. If we do not do this, it prevents malicious actors fromit's trivial to force nodes to drop potentially-valid proofs during a reorg. draining the orphan pool during a reorg,C) Proof received before UTXO - This is an uncommon occurrence with little downside to dropping the proof, so we rely on best-effort (ie. protecting nodes from losing their (potentially) valid proof setthe pool not being full). This patch implements the orphan proof pool limit in such a way that memory is reasonably bounded under all three scenarios regardless of the number/resourcing of malicious actors, with that bound being stricter for orphans received from the network.