pub const MAX_PENDING_VERIFY: usize = 131_072;Expand description
Global hard upper bound on the number of keys held in pending_verify.
Without a bound, a peer in the local routing table can flood
NeighborSyncRequest messages (each capped only by
MAX_REPLICATION_MESSAGE_SIZE ≈ 10 MiB, i.e. ~320k 32-byte hints per
message) and grow this map without limit, exhausting node memory and
driving a self-amplifying storm of outbound verification requests.
131_072 entries is far above any legitimate aggregate need while
bounding worst-case memory to a few tens of MiB (each VerificationEntry
is on the order of a few hundred bytes; its sub-collections are populated
only from close-group-sized verification evidence, never from attacker
hint volume).
This global cap alone is not sufficient: with blind capacity-reject a
single malicious routing-table peer could fill the whole map with cheap
admission-passing junk and starve every honest peer’s hints until the
30-minute evict_stale backstop fires (and re-fill immediately after).
Honest-replication fairness is therefore enforced by
MAX_PENDING_VERIFY_PER_PEER below; this global value is only the
memory backstop.