File: crates/state/src/dag.rs:354-373
Severity: security
Obvious? no
topological_sort only counts dep edges to events that exist in the DAG ("soft-accept: deps to absent events are ignored"). Combined with insert_accepts_unknown_deps semantics, an attacker with SendMessages can author a Message whose deps reference a non-existent revocation event, and the message is still applied because the missing dep is silently ignored. The receiving peer cannot tell whether the missing dep was withheld (relay censorship) or simply not yet seen. Affects "trust list assumptions during invite-join": a malicious sync provider can drop authority-mutating events while forwarding their successors, and recipients have no structural detector for this gap.
Fix: when an event names unknown deps, defer apply (treat the same as missing prev) until the deps are resolved or a configurable timeout.
Filed by /general-audit @ 6404719 (2026-05-03). master: #567.
File:
crates/state/src/dag.rs:354-373Severity: security
Obvious? no
topological_sortonly counts dep edges to events that exist in the DAG ("soft-accept: deps to absent events are ignored"). Combined withinsert_accepts_unknown_depssemantics, an attacker withSendMessagescan author a Message whosedepsreference a non-existent revocation event, and the message is still applied because the missing dep is silently ignored. The receiving peer cannot tell whether the missing dep was withheld (relay censorship) or simply not yet seen. Affects "trust list assumptions during invite-join": a malicious sync provider can drop authority-mutating events while forwarding their successors, and recipients have no structural detector for this gap.Fix: when an event names unknown deps, defer apply (treat the same as missing
prev) until the deps are resolved or a configurable timeout.Filed by
/general-audit@6404719(2026-05-03). master: #567.