Algod: state-proof key deletion safety

[algonathan]

Summary

Due to StateProof keys' lifetime, the signer might delete the key while not all signatures are present in the DB.
This critical error might occur when the DB fails to record a signature and a new signature arrives from the same key.

[codecov]

Codecov Report

Merging #4601 (ae5aa9b) into feature/stateproofs-recoverability (9ebdbce) will decrease coverage by 0.50%.
The diff coverage is 58.62%.

@@                          Coverage Diff                           @@
##           feature/stateproofs-recoverability    #4601      +/-   ##
======================================================================
- Coverage                               54.53%   54.03%   -0.51%     
======================================================================
  Files                                     408      408              
  Lines                                   52650    52658       +8     
======================================================================
- Hits                                    28714    28453     -261     
- Misses                                  21540    21791     +251     
- Partials                                 2396     2414      +18     

Impacted Files	Coverage Δ
data/account/participationRegistry.go	78.01% <ø> (-0.49%)	⬇️
stateproof/signer.go	50.00% <ø> (-2.39%)	⬇️
stateproof/worker.go	89.28% <ø> (ø)
data/accountManager.go	72.61% <20.00%> (+1.36%)	⬆️
stateproof/builder.go	75.42% <66.66%> (-4.72%)	⬇️
stateproof/recovery.go	0.00% <0.00%> (-77.78%)	⬇️
crypto/onetimesig.go	0.00% <0.00%> (-76.07%)	⬇️
data/bookkeeping/txn_merkle.go	62.96% <0.00%> (-22.23%)	⬇️
data/account/participation.go	45.68% <0.00%> (-18.11%)	⬇️
crypto/rand.go	11.76% <0.00%> (-17.65%)	⬇️
... and 30 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[almog-t]

If I understand correctly, for every round (?) we're going to be going over all of the participation records, extracting the state proof keys from them and removing stale keys? It might be worth it to hold the previous state proof next round to decide if we have to do that, even if we put aside the question of changing state proof intervals.

[id-ms]

You have a point. I've addressed that. take a second look

[almog-t]

Won't we miss out on purging stale data from accounts that can't sign latestRoundToKeep but still have old keys in their DB?
It seems to me we should simply iterate over all accounts and invoke spw.accts.DeleteStateProofKey(participationID, latestRoundToKeep) for all of them, no?

[almog-t]

Why do we need to use roundToRemove? Why not latestRoundToKeep instead?

[id-ms]

if we delete roundToRemove we might delete a key that should be used for a later state proof.

[almog-t]

Let's iron out the kinks in the deletion part, otherwise looks good.