Lower the likelihood of set-filling spam attack #45
Description
The testFrontrunning_SetFillingSpam demonstrates it is currently possible to fill in all available registrations (2^20 for default deployment) and effectively prevent honest users from registering to RLN - using the Waku network. On testnets, free tokens make this feasible. On L2s the required capital is ~$1-10M at typical prices. Only well-funded attackers could attempt it, but deposits are still refundable, reducing long-term loss to GAS fees only. When Waku network grows in size substantially, it might be in an interest of well funded actors to prevent its operation.
Impact
Low occurrence, high impact.
To reproduce
Please checkout 704f017
cd waku-rlnv2-contract
forge test --match-test testFrontrunning_SetFillingSpam -vvvv
Expected behavior
RLN contract should ideally increase its guarantees along the Waku network growth. While initial incentives to spam RLN contract are low, they can grow over time especially when Waku network delivers on strong censorship resistance.
Proposed Mitigations to Increase Attacker Cost
- Add Slashing: Implement on-chain slashing for detected spam (e.g., via double-signaling proofs), risking deposit loss.
- Commit-Reveal Scheme: Obscure idCommitment in the mempool, forcing attackers to guess (infeasible) or commit their own funds first, increasing risk for them.
Increase Deposits: Raise pricePerMessagePerEpoch in LinearPriceCalculator to make mass registration costly, though this impacts legitimate users. - Rate Limits: Cap registrations per address/block to limit spam scale.
- Private Mempools: Encourage use of Flashbots or Linea’s private relays to hide txs, reducing front-running opportunities.