pub const MAX_INBOUND_CONCURRENCY: usize = 20;
Expand description

The maximum block size is 2 million bytes. A deserialized malicious block with ~225_000 transparent outputs can take up 9MB of RAM. So the maximum inbound queue usage is MAX_INBOUND_CONCURRENCY * 9 MB. (See #1880 for more details.)
Since Zebra keeps an inv index, inbound downloads for malicious blocks will be directed to the malicious node that originally gossiped the hash. Therefore, this attack can be carried out by a single malicious node.