A malicious user can censor other users in the subnet

[dnkolegov]

To censor the target message or the user, an attacker can send a message making the total value of the checkpoint messages more than the subnet's circulation supply.
Suppose an attacker user intentionally sends a message with a big value close to the circulation supply. In that case, the attacker can block all other users that have sent messages in the same bottom-up message:
https://github.com/LimeChain/filecoin-ipc-actors-fevm/blob/d247b20a4dd6ff41c6b9efad142cc05ffc2f8853/src/Gateway.sol#L319-L331

Suppose, in the subnet, circSupply = 100. The subnet users can send messages with totalValue <=100 .
An attacker can censor a message even if he does not have a large number of tokens. For example, if the messages' total value is 99, the attacker needs to send a message with a value equal to 2.

[dnkolegov]

Cross-issue - consensus-shipyard/ipc-actors#121

[arrusev]

@adlrocha correct me if I'm wrong but I believe that the IPC agents won't allow a cross message which exceeds the subnet's circulation supply to be included in the checkpoint and it will be rejected at the off-chain level, right?

[adlrocha]

The agent can potentially include this message in the message (as we don't have a explicit and a pre-execution of the message), but including messages over the circulating supply means that the subnet is attacked and the behavior should be to reject the checkpoint, so in that sense the logic is correct.

I think that what @dnkolegov is surfacing here, is that one could perform a DoS attack in a subnet by sending an invalid cross-message in a checkpoint that fails to execute (that is the deeper root cause, and it is a design issue more than an implementation one, this is a problem we also have in the rust implementation). It is not a unique thing that occurs when something sketchy happened with the circulating supply.