Skip to main content

MAX_PENDING_VERIFY

Constant MAX_PENDING_VERIFY 

Source
pub const MAX_PENDING_VERIFY: usize = 131_072;
Expand description

Global hard upper bound on the number of keys held in pending_verify.

Without a bound, a peer in the local routing table can flood NeighborSyncRequest messages (each capped only by MAX_REPLICATION_MESSAGE_SIZE ≈ 10 MiB, i.e. ~320k 32-byte hints per message) and grow this map without limit, exhausting node memory and driving a self-amplifying storm of outbound verification requests.

131_072 entries is far above any legitimate aggregate need while bounding worst-case memory to a few tens of MiB (each VerificationEntry is on the order of a few hundred bytes; its sub-collections are populated only from close-group-sized verification evidence, never from attacker hint volume).

This global cap alone is not sufficient: with blind capacity-reject a single malicious routing-table peer could fill the whole map with cheap admission-passing junk and starve every honest peer’s hints until the 30-minute evict_stale backstop fires (and re-fill immediately after). Honest-replication fairness is therefore enforced by MAX_PENDING_VERIFY_PER_PEER below; this global value is only the memory backstop.