Redundant write on EigenDA failure

[Inkvi]

If EigenDA fails for any reason, we still want to write our commitment to the DA layer if we have caches or fallbacks enabled.

Since certificate is not available at this point, a keccak of the payload has to be used as commitment.

Summary by CodeRabbit

• New Features

  • Enhanced error handling and logging for data writing operations.
  • Improved verification process for reading data from secondary storage.

• Bug Fixes

  • Addressed potential data loss during write failures by implementing redundant write handling.

• Documentation

  • Updated method signatures to reflect changes in error handling and verification logic.

[coderabbitai]

Walkthrough

The changes introduced in this pull request enhance the error handling and logging capabilities of the Put method in the Manager struct located in store/manager.go. A new import from the crypto package has been added, and the method now logs errors and attempts redundant writes when necessary. The Get method remains unchanged in functionality. In store/secondary.go, the MultiSourceRead method has been updated to improve verification logic for RLP encoded certificates, while maintaining existing structures in other methods.

Changes

File	Change Summary
store/manager.go	Updated Put method for enhanced error handling and logging; returns Keccak256 hash on write failure. Updated method signature. Get method retains existing functionality.
store/secondary.go	Enhanced MultiSourceRead method to improve verification logic for RLP encoded certificates; updated method signature. Other methods remain unchanged.

Poem

In the store where data hops,
The Manager now never stops.
With logs that sing and errors that play,
Redundant writes save the day!
The Secondary checks with a clever glance,
Ensuring our data has a fair chance! 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

store/router.go (1)

212-218: Avoid reassigning 'key' variable to improve readability

Reassigning the key variable in line 216 may lead to confusion and potential errors. Consider using a new variable, such as actualKey, to enhance code clarity and maintain the integrity of the original key.

Apply this diff to enhance readability:

     key := crypto.Keccak256(commitment)

     // check if key is an RLP encoded certificate, if not, assume it's an s3 key
     var cert verify.Certificate
     err := rlp.DecodeBytes(key, &cert)
     if err != nil {
-        key = commitment
+        actualKey := commitment
+    } else {
+        actualKey := key
     }

     for _, src := range sources {
-        data, err := src.Get(ctx, key)
+        data, err := src.Get(ctx, actualKey)
         if err != nil {
             r.log.Warn("Failed to read from redundant target", "backend", src.BackendType(), "err", err)
             continue
         }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 24c4715 and 1f3368d.

📒 Files selected for processing (1)

• store/router.go (3 hunks)

🔇 Additional comments (1)

store/router.go (1)

9-10: Add necessary imports for 'verify' and 'rlp' packages

The added imports for the verify and rlp packages are appropriate and necessary for the new functionality introduced in the code.

[i-norden]

LGTM, if this is the only change we need to maintain this approach seems very good to me

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between efb3828 and 0a84c64.

📒 Files selected for processing (1)

• store/router.go (3 hunks)

🔇 Additional comments (1)

store/router.go (1)

136-146: Use 'r.log.Error' instead of 'log.Error' for consistent logging

As noted in previous reviews, it's recommended to use the router's logger r.log.Error instead of the global log.Error to maintain consistent logging and proper configuration.

[alfredo-stonk]

we need to test our new behavior in either server/server_test.go or a separate test file with cases where writes to EigenDA fails, we can still recover data from redundant stores

[alfredo-stonk]

add a comment to clarify why value is passed in here?
First value is used instead of EigenDA's commitment and it'll be keccak'ed as key in redundant writes.

[alfredo-stonk]

Need to change verify logic on line 233. When key == commitment (ie. EigneDA failes), verify that keccak256(data) == key

https://github.com/polymerdao/eigenda-proxy/pull/1/files#diff-fc787786f5f17942139efa2d18ffd7b028c888c628e07ecc4ce737d917f09eefR232-R237

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 0a84c64 and 4dfb545.

📒 Files selected for processing (1)

• store/router.go (4 hunks)

🧰 Additional context used

🔇 Additional comments (7)

store/router.go (7)

6-6: Import 'bytes' package is necessary for byte comparisons.

The addition of the "bytes" package is appropriate as it is used for byte slice comparisons in the code (e.g., bytes.Equal() function).

---

12-14: Added imports for 'verify' and 'rlp' packages are appropriate.

The imports of "github.com/Layr-Labs/eigenda-proxy/verify" and "github.com/ethereum/go-ethereum/rlp" are necessary for certificate verification and RLP decoding introduced in the code changes.

---

137-147: Use 'r.log.Error' instead of 'log.Error' for consistent logging.

In lines 137 and 143, the global log.Error is used directly. To maintain consistency and ensure proper logging configuration, consider using the router's logger r.log.Error instead.

---

141-141: Clarify the use of 'value' as the key in redundant writes.

It would be helpful to add a comment explaining why value is used as the key in the handleRedundantWrites function when writing to redundant backends. This can improve code readability and maintainability.

---

214-220: Ensure key assignment logic is clear after RLP decoding.

In the multiSourceRead function, when decoding commitment as an RLP-encoded certificate, if decoding fails, key is set to commitment. For better readability and to avoid confusion, consider making the key assignment explicit in both cases.

---

233-239: Verify data integrity when EigenDA verification is not applicable.

In lines 233-239, when bytes.Equal(key, commitment) is true, the code verifies the data using src.Verify(commitment, data). However, when bytes.Equal returns false, it uses r.eigenda.Verify(commitment, data). According to a prior review comment, we need to adjust the verification logic when key == commitment (i.e., EigenDA fails) to ensure that keccak256(data) == key.

Please verify that the implementation correctly handles the data verification in both cases to maintain data integrity.

---

141-141: Ensure the correct key is used when writing to redundant backends.

In the call to handleRedundantWrites:

redundantErr := r.handleRedundantWrites(ctx, value, value)

Passing value as both commitment and value may cause inconsistency in how keys are computed in redundant backends. Ensure that the key used in redundant writes aligns with the expected key computation method in those backends.

Run the following script to check if redundant backends expect the key to be crypto.Keccak256(value):

[coderabbitai]

🛠️ Refactor suggestion

Consider handling the case where RLP decoding succeeds.

In the multiSourceRead function, after decoding commitment as an RLP-encoded certificate:

var cert verify.Certificate
err := rlp.DecodeBytes(commitment, &cert)
if err != nil {
    key = commitment
}

If RLP decoding succeeds (err == nil), key remains as crypto.Keccak256(commitment). For clarity, consider adding an else clause to make the key assignment explicit, and possibly add comments explaining the logic.

Apply this diff for improved clarity:

 key := crypto.Keccak256(commitment)

 // Check if key is an RLP encoded certificate; if not, assume it's an S3 key
 var cert verify.Certificate
 err := rlp.DecodeBytes(commitment, &cert)
 if err != nil {
     key = commitment
+} else {
+    // If decoding succeeds, key remains as crypto.Keccak256(commitment)
+    // No action needed; consider adding a comment if necessary
 }

[coderabbitai]

⚠️ Potential issue

Adjust data verification logic based on key equality.

In the verification step:

if bytes.Equal(key, commitment) {
    err = src.Verify(commitment, data)
} else {
    // Verify cert:data using EigenDA verification checks
    err = r.eigenda.Verify(commitment, data)
}

Ensure that when key == commitment (indicating EigenDA has failed and we're using a fallback), the verification correctly checks that keccak256(data) == key. Currently, src.Verify may not perform this check as expected.

Would you like assistance in updating the verification logic to ensure data integrity when using redundant backends? I can help draft the necessary code changes or open a GitHub issue to track this task.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 4dfb545 and bb354f7.

📒 Files selected for processing (1)

• store/router.go (4 hunks)

🧰 Additional context used

🔇 Additional comments (3)

store/router.go (3)

12-13: LGTM: New imports added for enhanced functionality.

The new import statements for verify and rlp packages are correctly added and necessary for the new functionality in the multiSourceRead method.

---

Line range hint 1-339: Overall assessment: Good improvements with some areas for refinement.

The changes in this file generally improve error handling, add flexibility in key handling, and enhance the robustness of the Router implementation. Key improvements include:

1. Better error logging and fallback mechanisms in the Put method.
2. Flexible handling of RLP encoded certificates in multiSourceRead.
3. Differentiated verification logic based on key types.

However, there are a few areas that could benefit from further refinement:

1. Ensuring non-nil error returns in edge cases.
2. Clarifying the logic for key assignment when handling RLP encoded certificates.
3. Verifying data integrity correctly when using fallback keys.

Addressing these points will further enhance the reliability and clarity of the code.

---

233-239: ⚠️ Potential issue

Verify data integrity for different key types, but consider edge case.

The new verification logic differentiates between different key types, which is good. However, there's a potential issue:

When key == commitment (indicating EigenDA has failed and we're using a fallback), the verification should check that keccak256(data) == key. The current src.Verify(commitment, data) may not perform this check as expected.

Consider updating the verification logic:

 if bytes.Equal(key, commitment) {
-    err = src.Verify(commitment, data)
+    if !bytes.Equal(crypto.Keccak256(data), key) {
+        err = errors.New("data integrity check failed for fallback key")
+    }
 } else {
     // verify cert:data using EigenDA verification checks
     err = r.eigenda.Verify(commitment, data)
 }

This ensures proper data integrity verification when using fallback keys.

To confirm this behavior, we can run the following script:

This will help us understand how src.Verify is implemented across different store types and ensure our suggested change is necessary and correct.

[coderabbitai]

🛠️ Refactor suggestion

Good addition for handling RLP encoded certificates.

The new code to handle RLP encoded certificates adds flexibility in key handling. However, the logic could be made more explicit:

Consider clarifying the key assignment in both cases:

 key := crypto.Keccak256(commitment)

 // check if key is an RLP encoded certificate, if not, assume it's an s3 key
 var cert verify.Certificate
 err := rlp.DecodeBytes(commitment, &cert)
 if err != nil {
     key = commitment
+} else {
+    // Decoding succeeded, key remains as Keccak256 hash
+    // No action needed, but consider adding a comment for clarity
 }

This makes the logic more explicit and easier to understand at a glance.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// check if key is an RLP encoded certificate, if not, assume it's an s3 key
	var cert verify.Certificate
	err := rlp.DecodeBytes(commitment, &cert)
	if err != nil {
	key = commitment
	}
	key := crypto.Keccak256(commitment)
	// check if key is an RLP encoded certificate, if not, assume it's an s3 key
	var cert verify.Certificate
	err := rlp.DecodeBytes(commitment, &cert)
	if err != nil {
	key = commitment
	} else {
	// Decoding succeeded, key remains as Keccak256 hash
	// No action needed, but consider adding a comment for clarity
	}

[coderabbitai]

⚠️ Potential issue

Improved error handling, but consider edge case.

The new error handling and logging for EigenDA write failures is a good addition. The fallback mechanism to write to redundant backends enhances data reliability.

However, there's a potential issue:

If both caching and fallbacks are disabled (!r.cacheEnabled() && !r.fallbackEnabled()), and the EigenDA write fails, the function will return nil, err. There's a risk that err might be nil here, which could lead to silent failures.

Consider adding a check to ensure err is not nil before returning:

    if r.cacheEnabled() || r.fallbackEnabled() {
        redundantErr := r.handleRedundantWrites(ctx, value, value)
        if redundantErr != nil {
            log.Error("Failed to write to redundant backends", "err", redundantErr)
            return nil, redundantErr
        }
        return crypto.Keccak256(value), nil
    }
+   if err == nil {
+       err = errors.New("failed to write to EigenDA and no redundant backends available")
+   }
    return nil, err

This ensures that an error is always returned when the write operation fails.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	log.Error("Failed to write to EigenDA backend", "err", err)
	// write to EigenDA failed, which shouldn't happen if the backend is functioning properly
	// use the payload as the key to avoid data loss
	if r.cacheEnabled() || r.fallbackEnabled() {
	redundantErr := r.handleRedundantWrites(ctx, value, value)
	if redundantErr != nil {
	log.Error("Failed to write to redundant backends", "err", redundantErr)
	return nil, redundantErr
	}
	return crypto.Keccak256(value), nil
	}
	log.Error("Failed to write to EigenDA backend", "err", err)
	// write to EigenDA failed, which shouldn't happen if the backend is functioning properly
	// use the payload as the key to avoid data loss
	if r.cacheEnabled() || r.fallbackEnabled() {
	redundantErr := r.handleRedundantWrites(ctx, value, value)
	if redundantErr != nil {
	log.Error("Failed to write to redundant backends", "err", redundantErr)
	return nil, redundantErr
	}
	return crypto.Keccak256(value), nil
	}
	if err == nil {
	err = errors.New("failed to write to EigenDA and no redundant backends available")
	}
	return nil, err

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (3)

store/manager.go (1)

129-130: Consider validating value before using as key.

When using the payload as the key, we should validate its size and content to ensure it's suitable for use as a key in the secondary storage system.

 // use the payload as the key to avoid data loss
+if len(value) > MaxKeySize {  // Define appropriate MaxKeySize constant
+    return nil, fmt.Errorf("payload too large to use as key: %d bytes", len(value))
+}
 if m.secondary.Enabled() {

store/secondary.go (2)

157-162: Add logging for certificate decode failures.

When the RLP decode fails, it silently falls back to using the commitment as key. While this aligns with the PR objectives, logging this fallback would help with debugging and monitoring.

 var cert verifypackage.Certificate
 err := rlp.DecodeBytes(commitment, &cert)
 if err != nil {
+    sm.log.Debug("Commitment is not an RLP certificate, using as direct key", "err", err)
     key = commitment
 }

---

153-155: Update method documentation to reflect new behavior.

The method comment should be updated to explain the new certificate handling behavior.

 // MultiSourceRead ... reads from a set of backends and returns the first successfully read blob
 // NOTE: - this can also be parallelized when reading from multiple sources and discarding connections that fail
-//   - for complete optimization we can profile secondary storage backends to determine the fastest / most reliable and always rout to it first
+//   - for complete optimization we can profile secondary storage backends to determine the fastest / most reliable and always route to it first
+//   - handles both direct keys and RLP encoded certificates, falling back to using commitment as key if certificate decode fails
+//   - uses appropriate verification method based on whether the key is a direct match or certificate

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between bb354f7 and 01ad05a.

📒 Files selected for processing (2)

• store/manager.go (2 hunks)
• store/secondary.go (3 hunks)

🔇 Additional comments (4)

store/manager.go (2)

11-11: LGTM: Required import for fallback hash calculation.

The addition of the crypto package is necessary for computing Keccak256 hash when EigenDA fails.

---

127-137: Verify handling of different commitment types by consumers.

The implementation correctly handles EigenDA failures by:

1. Writing to secondary storage using value as both key and value
2. Returning Keccak256 hash as commitment

However, we should verify that consumers can handle receiving a Keccak256 hash instead of the expected EigenDA certificate.

✅ Verification successful

Let me generate additional scripts to search for commitment handling patterns:

---

No concerns with different commitment types being returned

The codebase is well-designed to handle different commitment types:

1. The Put method is called through the Manager interface which returns []byte - consumers are already designed to handle opaque byte arrays.
2. The codebase has a robust commitment type system (commitments/ package) that supports multiple commitment types including Keccak256Commitment and GenericCommitment.
3. Verification is properly abstracted through interfaces like CertCommitment, OPCommitment, and DaSvcCommitment, each with their own verification logic.
4. The server handler in server/handlers.go treats all commitments uniformly, wrapping any errors with proper context.

The fallback to Keccak256 hash is safe and consistent with the existing commitment handling patterns.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for places where Put method's return value is used
rg -A 5 "Put\(ctx.*\)" | grep -v "func.*Put"

# Search for type assertions or comparisons on commitment values
ast-grep --pattern 'if commit := $_.Put($$$); $$$'

Length of output: 4024

---

Script:

#!/bin/bash
# Search for commitment type checks or handling
rg -A 5 "type.*Commitment" 

# Search for places where Put result is assigned and used
rg -B 2 -A 5 "(commit|key|cert).* := .*Put\("

# Search for any verification or type-specific handling
rg -A 5 "(Verify|Check|Handle|Process).*Commitment"

Length of output: 9464

store/secondary.go (2)

4-4: LGTM: New imports support certificate handling.

The added imports align with the PR objectives for handling EigenDA certificates and fallback scenarios.

Also applies to: 11-11, 14-14

---

182-187: Verify the impact on existing certificate verification.

The new branching logic for verification needs careful testing to ensure it doesn't break existing certificate verification flows.

✅ Verification successful

Let me gather more specific information about the verification implementations to better understand the impact.

---

Based on the gathered information, I can now provide a final response:

The verification branching logic is safe and maintains existing certificate verification flows

The code change implements a clear separation between two verification paths:

• Direct key-value verification using src.Verify() when key matches commitment
• EigenDA certificate verification using the provided verify() function when dealing with certificates

The implementation is consistent with existing verification patterns across the codebase where:

• Each store type implements its own Verify() method with appropriate checks
• Certificate verification is properly handled in the EigenDA store
• The locking mechanism (verifyLock) ensures thread-safe verification

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for other certificate verification patterns in the codebase
# that might be affected by this change

# Look for certificate verification patterns
echo "Searching for certificate verification patterns..."
rg -l "Certificate" --type go

# Look for Verify method calls
echo "Searching for Verify method calls..."
ast-grep --pattern 'Verify($_, $_, $_)'

Length of output: 474

---

Script:

#!/bin/bash
# Look for Verify method implementations and their context
echo "Searching for Verify method implementations..."
rg -A 5 "func.*Verify" --type go

# Look for verify function implementations
echo "Searching for verify function implementations..."
rg -A 5 "func verify" --type go

# Look for specific verification patterns in secondary.go
echo "Checking verification patterns in secondary.go..."
rg -A 10 "verify|Verify" store/secondary.go

Length of output: 5379

[coderabbitai]

🛠️ Refactor suggestion

Optimize lock scope and improve verification logic.

The verification lock's scope is wider than necessary, and the branching logic could be more explicit.

-        sm.verifyLock.Lock()
+        var verifyErr error
+        sm.verifyLock.Lock()
         if bytes.Equal(key, commitment) {
-            err = src.Verify(ctx, commitment, data)
+            verifyErr = src.Verify(ctx, commitment, data)
         } else {
             // verify cert:data using EigenDA verification checks
-            err = verify(ctx, commitment, data)
+            verifyErr = verify(ctx, commitment, data)
         }
+        sm.verifyLock.Unlock()

-        if err != nil {
+        if verifyErr != nil {
             cb(Failed)
-            log.Warn("Failed to verify blob", "err", err, "backend", src.BackendType())
-            sm.verifyLock.Unlock()
+            log.Warn("Failed to verify blob", "err", verifyErr, "backend", src.BackendType(), "using_direct_key", bytes.Equal(key, commitment))
             continue
         }
-        sm.verifyLock.Unlock()

Committable suggestion skipped: line range outside the PR's diff.