path: root/design-documents
diff options
authorChristian Grothoff <>2021-01-06 20:00:07 +0100
committerChristian Grothoff <>2021-01-06 20:00:07 +0100
commitb1841f2970d4f205774a0f0b667bd04770ca6c07 (patch)
tree5be9d4a6d639db2cec1e05529586bb83988ec7a2 /design-documents
parent00818f108242fd3f47713cc0b94344de0847ec64 (diff)
discuss how to deal with UPDATED (mutable) tables during auditor replication
Diffstat (limited to 'design-documents')
1 files changed, 28 insertions, 0 deletions
diff --git a/design-documents/011-auditor-db-sync.rst b/design-documents/011-auditor-db-sync.rst
index bf8f9a5..aba7b50 100644
--- a/design-documents/011-auditor-db-sync.rst
+++ b/design-documents/011-auditor-db-sync.rst
@@ -94,6 +94,34 @@ Proposed Solution
* The canonical Postgres synchronization between exchange and the
auditor's "ingress" database must use transport security.
+The above solution does not gracefully handle mutable tables on which
+the exchange performs UPDATE statements, as such updates will not bump
+the BIGSERIAL and thus would not be replicated by the helper. Thus, we
+need to consider all tables that the exchange ever performs UPDATE on.
+Those are:
+* /reserves/ --- the exchange updates the remaining reserve balance;
+ here the auditor currently performs a sanity check against
+ its own reserve balance calculation. The proposed way to address
+ this is to make this sanity check optional and to be only used if
+ the auditor auditor runs against the "primary" exchange database
+ (like an internal audit). This is acceptable, as an inaccurate
+ reserve balance is mostly used to raise an early warning and not
+ indicative of any actualized financial gains or losses from the
+ exchange.
+* /deposits/ --- the exchange updates the /tiny/ and /done/ bit
+ fields. /tiny/ can be trivially established by the auditor, and
+ we can simply avoid the auditor considering that bit. /done/
+ was so far only used to enrich the reporting. The proposed way
+ to address the uses of both fields is thus to only use them in
+ internal audits (against the primary exchange database). Both
+ can be safely ignored by the external audit.
+* /prewire/ --- the exchange updates the /finished/ and /failed/
+ bits. The entire table is not used by the auditor and its
+ main values cannot be validated by the auditor anyway.
+* /auditors/ --- the exchange updates the /is_active/ and /last_change/
+ fields. The entire table is of no concern to the auditor.