We pushed already in GitHub a fix for recently discovered resource exhaustion attacks against PoS chains.

https://github.com/Galilel-Project/galilel/commit/1fe39e9ca036f915f27322dfb575da78c0163984

- Vulnerability 1:

It is called "I Can't Believe it's not Stake" attack. It was introduced while merging upstream headers first feature into PoS forks. It fills a victims node memory until resources are exhausted and node may crash due to out of memory condition. Codebase is not affected by it.

- Vulnerability 2:

It is called "Spent Stake" attack. It was discoverd while investigating vulnerability 1 above. It works because block verification ensures that the coin exists, but not that it is unspent. After forking of the main chain the coinstake transaction is still validated against the main chain TxDB. It allows to generate arbitrary amount of apparent stake and inject it into victims node. Codebase is fixed with the commit above.

More information about attack vectors:

http://fc19.ifca.ai/preproceedings/180-preproceedings.pdf
https://medium.com/@dsl_uiuc/fake-stake-attacks-on-chain-based-proof-of-stake-cryptocurrencies-b8b05723f806

Working proof of concept reproducer:

https://github.com/initc3/i-cant-believe-its-not-stake