EMQ is a protocol for a more reliable delivery of external messages. It is currently in the final stages of development. It is being developed to solve a number of problems:
In the current implementation, external messages are broadcast across the network, and to make sure a message was not lost/invalid/blocked due to overload, you need to track all the new blocks of the same thread and wait for a timeout to pass.
In EMQ all messages are delivered through full nodes. A full node checks that a message is valid at the current moment and sends it out to the validators of the required thread by calculating their adnl addresses. Threads report to the full node that they have received the messages, and the full node, in its turn, reports the status to the user. Also, all the validators of the thread report to the full node, and the latter — to the user about all the changes in the message state, including adding to a block, adding a block to the master, or a rejection if it is invalid. The full node, in its turn, reports this to the client. We will describe EMQ statuses in more detail after the protocol is implemented in full.
Unfortunately, even after a message is received by validators, its addition to the block is not guaranteed because internal messages have priority, and besides, too many messages may come during one shard and it may not have time to split to process them all. But this is still a much better guarantee than the existing ones. Also, extensions to catchain ensure the storage of received message if the set of validators changes, splits or merges the thread.
Moreover, EMQ assumes that validators inside a thread collate the general queue of external messages, which is an extra consensus layer, and punishes those collators who insert messages out of order or insert too few of them. This offers potential protection from MEV attacks.
Potentially, EMQ can be used as a form of DDoS protection. In this construction, external messages are messages which are provided with 10k gas credits, and those gas credits evince whether a message is valid or not. Such messages are broadcast across the network, which may prompt DDoS attacks via invalid messages. However, this is difficult to implement because validators check messages right after their reception and again later when they are trying to collate a block. Regardless, in the future EMQ will be supplemented by a mechanism to protect from such DDoS attacks. Its design is still in development, but it will roughly look like this:
This is how we will protect the network from spamming with invalid messages and keep it decentralized, as anyone can become an authorized node by locking a small stake.
Within TON architecture, contracts may accept random external messages, including non-signed ones. Since TON philosophy requires a compact BC state, and validators do not store all past messages, the same message may be included an unlimited number of times as long as a contract agrees to pay for it. So a contract should implement replay protection on its own. By default, contracts utilize very simple protection under the hood: an external message is supplemented by time, and the time of every next accepted external message is checked to ensure that it is later than the previous one. Additionally, parameter expire is used to tell that a message is invalid if the time of block release is later than N.
It has been suggested that a requirement be added to EMQ in which validators have to store the IDs of all external messages for 4-8 minutes and not allow the same message twice during this period. So, if we create a message with an expire of 2 minutes, we can be sure it will not be included twice.
The article on smart contracts chapter covers the replay protection issue in more detail.