For the 7th vulnerability mentioned, the cache key being the ID is not a risk.

The relay may send a forged event with an ID pretending to be another event, but 2 things can happen:

- The event is in cache. Then, forged event gets ignored and nothing happens.

- The event is not in cache. The ID is checked, fails verification and does not get into cache.