pub(crate) const MAX_INBOUND_CONCURRENCY: usize = 10;
The maximum number of concurrent inbound download and verify tasks.
We expect the mempool crawler to download and verify most mempool transactions, so this bound can be small.
We use a small concurrency limit, to prevent memory denial-of-service attacks.
The maximum transaction size is 2 million bytes. A deserialized malicious transaction with ~225_000 transparent outputs can take up 9MB of RAM. (See #1880 for more details.)
Malicious transactions will eventually timeout or fail validation. Once validation fails, the transaction is dropped, and its memory is deallocated.
Since Zebra keeps an
inv index, inbound downloads for malicious transactions
will be directed to the malicious node that originally gossiped the hash.
Therefore, this attack can be carried out by a single malicious node.