security: cap attester set size to prevent DoS and uint16 overflow

The attester set was unbounded, allowing an attacker to register thousands
of sybil identities. This caused:
- EndBlocker stalling via O(n) iteration in BuildValidatorIndexMap
- Silent uint16 index overflow when >65,535 attesters joined

This commit:
- Adds MaxAttesters=10,000 variable to cap the attester set size
- Enforces the cap in JoinAttesterSet, rejecting new joins at capacity
- Adds uint16 overflow guard in BuildValidatorIndexMap as defense-in-depth

Adds 2 table-driven tests for cap enforcement.

Author: alpe

modules/network/keeper/keeper.go

@@ -185,6 +185,11 @@ func (k Keeper) GetAllAttesters(ctx sdk.Context) ([]string, error) {
 	return attesters, nil
 }
 
+// MaxAttesters is the maximum number of attesters allowed in the set.
+// This prevents unbounded growth, EndBlocker stalling, and uint16 index overflow
+// in BuildValidatorIndexMap.
+var MaxAttesters = 10_000
+
 // BuildValidatorIndexMap rebuilds the validator index mapping
 func (k Keeper) BuildValidatorIndexMap(ctx sdk.Context) error {
 	// Get all attesters instead of bonded validators
@@ -193,6 +198,12 @@ func (k Keeper) BuildValidatorIndexMap(ctx sdk.Context) error {
 		return err
 	}
 
+	// Guard against uint16 overflow — should not happen if MaxAttesters is enforced
+	// at join time, but defense-in-depth
+	if len(attesters) > int(^uint16(0)) {
+		return fmt.Errorf("attester count %d exceeds uint16 max %d", len(attesters), ^uint16(0))
+	}
+
 	// Clear existing indices and powers
 	// The `nil` range clears all entries in the collection.
 	if err := k.ValidatorIndex.Clear(ctx, nil); err != nil {

modules/network/keeper/msg_server.go

@@ -157,6 +157,15 @@ func (k msgServer) JoinAttesterSet(goCtx context.Context, msg *types.MsgJoinAtte
 		return nil, sdkerr.Wrapf(sdkerrors.ErrInvalidRequest, "consensus address already in attester set")
 	}
 
+	// Enforce maximum attester set size to prevent unbounded growth and uint16 index overflow
+	attesters, err := k.GetAllAttesters(ctx)
+	if err != nil {
+		return nil, sdkerr.Wrap(err, "get all attesters")
+	}
+	if len(attesters) >= MaxAttesters {
+		return nil, sdkerr.Wrapf(sdkerrors.ErrInvalidRequest, "attester set is full: %d/%d", len(attesters), MaxAttesters)
+	}
+
 	// Store the attester information including pubkey (key by consensus address)
 	attesterInfo := &types.AttesterInfo{
 		Validator:    msg.ConsensusAddress, // Use consensus address as primary key

modules/network/keeper/msg_server_test.go

@@ -2,6 +2,7 @@ package keeper
 
 import (
 	"context"
+	"fmt"
 	"maps"
 	"slices"
 	"strings"
@@ -124,6 +125,67 @@ func TestJoinAttesterSet(t *testing.T) {
 	}
 }
 
+func TestJoinAttesterSetMaxCap(t *testing.T) {
+	// Use a small cap for testing. We temporarily reduce MaxAttesters
+	// to avoid creating 10,000 attesters in a test.
+	const testCap = 3
+
+	specs := map[string]struct {
+		existingCount int
+		expErr        error
+	}{
+		"under cap": {
+			existingCount: testCap - 1,
+		},
+		"at cap - rejected": {
+			existingCount: testCap,
+			expErr:        sdkerrors.ErrInvalidRequest,
+		},
+	}
+
+	for name, spec := range specs {
+		t.Run(name, func(t *testing.T) {
+			sk := NewMockStakingKeeper()
+			cdc := moduletestutil.MakeTestEncodingConfig().Codec
+			keys := storetypes.NewKVStoreKeys(types.StoreKey)
+			logger := log.NewTestLogger(t)
+			cms := integration.CreateMultiStore(keys, logger)
+			authority := authtypes.NewModuleAddress("gov")
+			keeper := NewKeeper(cdc, runtime.NewKVStoreService(keys[types.StoreKey]), sk, nil, nil, authority.String())
+			server := msgServer{Keeper: keeper}
+			ctx := sdk.NewContext(cms, cmtproto.Header{ChainID: "test-chain", Time: time.Now().UTC(), Height: 10}, false, logger).
+				WithContext(t.Context())
+
+			// Pre-populate the attester set
+			for i := range spec.existingCount {
+				addr := sdk.ValAddress(fmt.Sprintf("val%05d", i))
+				require.NoError(t, keeper.SetAttesterSetMember(ctx, addr.String()))
+			}
+
+			// Now try to join with a new attester
+			newAddr := sdk.ValAddress("new_attester")
+			msg := &types.MsgJoinAttesterSet{
+				Authority:        newAddr.String(),
+				ConsensusAddress: newAddr.String(),
+			}
+
+			// Temporarily override MaxAttesters for test
+			oldMax := MaxAttesters
+			defer func() { MaxAttesters = oldMax }()
+			MaxAttesters = testCap
+
+			rsp, err := server.JoinAttesterSet(ctx, msg)
+			if spec.expErr != nil {
+				require.ErrorIs(t, err, spec.expErr)
+				require.Nil(t, rsp)
+				return
+			}
+			require.NoError(t, err)
+			require.NotNil(t, rsp)
+		})
+	}
+}
+
 var _ types.StakingKeeper = &MockStakingKeeper{}
 
 type MockStakingKeeper struct {