I think I am missing something obvious, but can't you just take your existing DAG and add a merge validation step to solve this?
If I'm understanding the problem right a malicious user, uses the same source id to send action a to user 1 and action b to user 2.
This has started two independent (and currently indistinguishable branches in your DAG)
When those branches come into contact at say user 3 weird bugs start arising.
However, user 3 is receiving a DAG of all the operations along with the operations. Can't it use that to validate the DAG chain? If it finds a conflict it could simply create a branch at the conflict point by modifying the IDs at the point of conflict. Say by appending a hash of just that operation to the id?
If I'm understanding the problem right a malicious user, uses the same source id to send action a to user 1 and action b to user 2. This has started two independent (and currently indistinguishable branches in your DAG) When those branches come into contact at say user 3 weird bugs start arising.
However, user 3 is receiving a DAG of all the operations along with the operations. Can't it use that to validate the DAG chain? If it finds a conflict it could simply create a branch at the conflict point by modifying the IDs at the point of conflict. Say by appending a hash of just that operation to the id?