SigOps limit.
(too old to reply)
Russell O'Connor via bitcoin-dev
2017-09-13 13:24:14 UTC
On Tue, Sep 12, 2017 at 3:57 PM, Mark Friedenbach via bitcoin-dev <
4MB of secp256k1 signatures takes 10s to validate on my 5 year old
laptop (125,000 signatures, ignoring public keys and other things that
would consume space). That's much less than bad blocks that can be
constructed using other vulnerabilities.
If there were no sigops limits, I believe the worst case block could have
closer to 1,000,000 CHECKSIG operations. Signature checks are cached so
while repeating the sequence "2DUP CHECKSIGVERIFY" does create a lot of
checksig operations, the cached values prevent a lot of work being done.

To defeat the cache one can repeat the sequence "2DUP CHECKSIG DROP
CODESEPARATOR", which will create unique signature validation requests
every 4 bytes.