fix(network): cap attester set size to prevent DoS and uint16 overflow (#361)

* security: cap attester set size to prevent DoS and uint16 overflow

The attester set was unbounded, allowing an attacker to register thousands
of sybil identities. This caused:
- EndBlocker stalling via O(n) iteration in BuildValidatorIndexMap
- Silent uint16 index overflow when >65,535 attesters joined

This commit:
- Adds MaxAttesters=10,000 variable to cap the attester set size
- Enforces the cap in JoinAttesterSet, rejecting new joins at capacity
- Adds uint16 overflow guard in BuildValidatorIndexMap as defense-in-depth

Adds 2 table-driven tests for cap enforcement.

* fix: make MaxAttesters a const, refactor test to not override

- Changed MaxAttesters from var to const per review: protocol limits
  should be immutable
- Refactored TestJoinAttesterSetMaxCap to verify the constant value
  fits in uint16 and test the happy path without overriding the const

Author: alpe

modules/network/keeper/keeper.go

@@ -185,6 +185,11 @@ func (k Keeper) GetAllAttesters(ctx sdk.Context) ([]string, error) {
 	return attesters, nil
 }
 
+// MaxAttesters is the maximum number of attesters allowed in the set.
+// This prevents unbounded growth, EndBlocker stalling, and uint16 index overflow
+// in BuildValidatorIndexMap.
+const MaxAttesters = 10_000
+
 // BuildValidatorIndexMap rebuilds the validator index mapping
 func (k Keeper) BuildValidatorIndexMap(ctx sdk.Context) error {
 	// Get all attesters instead of bonded validators
@@ -193,6 +198,12 @@ func (k Keeper) BuildValidatorIndexMap(ctx sdk.Context) error {
 		return err
 	}
 
+	// Guard against uint16 overflow — should not happen if MaxAttesters is enforced
+	// at join time, but defense-in-depth
+	if len(attesters) > int(^uint16(0)) {
+		return fmt.Errorf("attester count %d exceeds uint16 max %d", len(attesters), ^uint16(0))
+	}
+
 	// Clear existing indices and powers
 	// The `nil` range clears all entries in the collection.
 	if err := k.ValidatorIndex.Clear(ctx, nil); err != nil {

modules/network/keeper/msg_server.go

@@ -157,6 +157,15 @@ func (k msgServer) JoinAttesterSet(goCtx context.Context, msg *types.MsgJoinAtte
 		return nil, sdkerr.Wrapf(sdkerrors.ErrInvalidRequest, "consensus address already in attester set")
 	}
 
+	// Enforce maximum attester set size to prevent unbounded growth and uint16 index overflow
+	attesters, err := k.GetAllAttesters(ctx)
+	if err != nil {
+		return nil, sdkerr.Wrap(err, "get all attesters")
+	}
+	if len(attesters) >= MaxAttesters {
+		return nil, sdkerr.Wrapf(sdkerrors.ErrInvalidRequest, "attester set is full: %d/%d", len(attesters), MaxAttesters)
+	}
+
 	// Store the attester information including pubkey (key by consensus address)
 	attesterInfo := &types.AttesterInfo{
 		Validator:    msg.ConsensusAddress, // Use consensus address as primary key

modules/network/keeper/msg_server_test.go

@@ -124,6 +124,41 @@ func TestJoinAttesterSet(t *testing.T) {
 	}
 }
 
+func TestJoinAttesterSetMaxCap(t *testing.T) {
+	// Verify the constant is set to a sane value that is within uint16 range
+	require.LessOrEqual(t, MaxAttesters, int(^uint16(0)),
+		"MaxAttesters must fit in uint16 to avoid index overflow in BuildValidatorIndexMap")
+
+	t.Run("join succeeds under cap", func(t *testing.T) {
+		sk := NewMockStakingKeeper()
+		cdc := moduletestutil.MakeTestEncodingConfig().Codec
+		keys := storetypes.NewKVStoreKeys(types.StoreKey)
+		logger := log.NewTestLogger(t)
+		cms := integration.CreateMultiStore(keys, logger)
+		authority := authtypes.NewModuleAddress("gov")
+		keeper := NewKeeper(cdc, runtime.NewKVStoreService(keys[types.StoreKey]), sk, nil, nil, authority.String())
+		server := msgServer{Keeper: keeper}
+		ctx := sdk.NewContext(cms, cmtproto.Header{ChainID: "test-chain", Time: time.Now().UTC(), Height: 10}, false, logger).
+			WithContext(t.Context())
+
+		// With an empty set, join should succeed
+		newAddr := sdk.ValAddress("new_attester")
+		msg := &types.MsgJoinAttesterSet{
+			Authority:        newAddr.String(),
+			ConsensusAddress: newAddr.String(),
+		}
+
+		rsp, err := server.JoinAttesterSet(ctx, msg)
+		require.NoError(t, err)
+		require.NotNil(t, rsp)
+
+		// Verify the attester was added
+		exists, err := keeper.AttesterSet.Has(ctx, newAddr.String())
+		require.NoError(t, err)
+		assert.True(t, exists)
+	})
+}
+
 var _ types.StakingKeeper = &MockStakingKeeper{}
 
 type MockStakingKeeper struct {