prevent dos'ing network with equivocating data

[countvonzero]

Description

currently data object reference other data for various reasons.

• each atxs reference other atx for its

  • commitment atx. this is baked in post data (only 1 per atx chain)
  • positioning atx (1 per new atx). this is included in the poet proof, and is used to calculate it's base tick height.

• each ballot reference other ballot for its

  • reference ballot (miner's first ballot in the epoch) if it itself is not a reference ballot. reference ballots contain the beacon and the active set
  • base ballot for efficient encoding of votes

when equivocation is detected, we should stop accepting atxs / ballots from such malicious identity, unless these objects are already referenced by other objects from honest identities.

Actual Behavior

• malicious atx/ballots are always saved
• malfeasance proof is saved and gossiped only when the first equivocating atx/ballot is received
• any malicious gossip atx/ballots after the malfeasance proof is generated/gossiped are re-gossiped. i.e. all equivocating atxs/ballots after the 1st one are saved/regossiped

Expected Behavior

• equivocating atxs/ballots should not be saved

• equivocating atxs/ballots should not be gossiped

• malfeasance proof is saved and gossiped only when the first equivocating atx/ballot is received

• equivocating atxs/ballots should only be saved on the sync path, where atxs/ballots are fetched according to existing dependencies from honest atxs/ballot.

• less importantly, given the same tick height, prefer own atx as positioning atx.

[dshulyak]

on gossip path drop any atxs from malicious identities, including second one (when proof is generated). on sync path request dependencies only if original object passed validation (eligibility for ballot, nipost for atx) and identity didn't equivocate. this can be accomplished by reordering validation