Market.PublishStorageDeals griefing vector

[wadealexc]

PublishStorageDeals relies on validation for all deals passing, or the entire call fails. A deal client may force validation for any of their signed deals to fail on publication by withdrawing market funds that are escrowed (but not locked). The attack is as follows:

1. Client adds balance to the market actor (Market.AddBalance)
2. Client negotiates/signs a storage deal with some miner
3. Miner creates a transaction to Market.PublishStorageDeals
4. Client frontruns this transaction with a call to Market.WithdrawBalance, withdrawing their escrowed funds
5. Market.PublishStorageDeals fails because the client no longer has balance to lock up

The same may be accomplished if a client signs multiple copies of the same storage deal and distributes them to multiple miners, but only supplies enough balance to the market to support one deal. In this case, no frontrunning is needed; the first miner to publish the client's deal will "win," and the rest will fail.

[anorth]

FYI @zixuanzh. We were generally aware of the possibility of this kind of behaviour. It's something to address in market protocol design improvements.

[zixuanzh]

Right, there was an expectation that WithdrawBalance will have a delay for X epoch after it is called as mentioned in the spec but we can revisit this and evaluate other proposals later.