staking: paranoid writeback changes

[pro-wh]

1. eliminate some unnecessary Set*:
   • when short circuiting transfer to self, do not save the unmodified account
   • when starting to reclaim escrow, do not save the unaffected delegator account
2. rearrange Set* to lose tokens/shares, in case there's a way to make certain state Set* fail across validators. see below

transfer/withdraw saves from account first, then to account:

1. set from account succeeds, set to account fails -> tokens disappear. fairly safe, "safe" referring to "less appealing to exploit"

reclaim escrow inconsistencies in partial failure, under new ordering:

1. set delegation succeeds, set escrow account fails -> delegator loses their shares, tokens remain in active escrow pool unreclaimable. fairly safe
2. set delegation succeeds, set escrow account succeeds, set debonding delegation fails -> tokens remain in debonding escrow pool, will never be released. fairly safe

add escrow seems fine as is:

1. set delegator account succeeds, set escrow account fails -> tokens disappear. fairly safe
2. set delegator account succeeds, set escrow account succeeds, set delegation fails -> tokens get stuck in active escrow pool unreclaimable. fairly safe

do we want these changes? I can split these up if we want some and not others

[Yawning]

This "looks" ok, but I would feel better about it if our test cases covered the edge cases that lead to the weirdness in the first place.

[Yawning]

While you're here, probably change this?

[Yawning]

This was deliberate if somewhat wonky, but to is never mutated, so the removal appears to be ok.

[pro-wh]

right, to prevent creating multiple in-memory representations of the same record that can get out of sync. in the changed version, we no longer attempt to load the "to"/delegator account. to is gone altogether, so we thus still avoid that condition

[kostko]

The thinking behind the current setup is that these Set calls can only fail in case there is state corruption in which case all state updates are rolled back and consensus halts.

You could also use:

ctx = ctx.NewTransaction()
defer ctx.Close()
// ...
ctx.Commit()

[pro-wh]

oh the transaction way would be nice. this being something that came up while thinking about adding a minimum balance check, it seems more correct to create a transaction and roll back if the minimum balance is not met

[pro-wh]

ok Set* rearrangements removed, NewTransaction + Commit added

[pro-wh]

no, this is all wrong, we can't just start a transaction and keep using the same state object

[codecov]

Codecov Report

Merging #4466 (f2f5168) into master (cb18563) will increase coverage by 0.23%.
The diff coverage is 87.93%.

@@            Coverage Diff             @@
##           master    #4466      +/-   ##
==========================================
+ Coverage   68.83%   69.06%   +0.23%     
==========================================
  Files         415      415              
  Lines       46799    46816      +17     
==========================================
+ Hits        32214    32334     +120     
+ Misses      10625    10543      -82     
+ Partials     3960     3939      -21     

Impacted Files	Coverage Δ
.../consensus/tendermint/apps/staking/transactions.go	72.96% <86.53%> (+1.71%)	⬆️
go/consensus/tendermint/apps/staking/fees.go	50.34% <100.00%> (+3.58%)	⬆️
...onsensus/tendermint/apps/beacon/state/state_vrf.go	73.33% <0.00%> (-13.34%)	⬇️
go/consensus/tendermint/abci/state/state.go	61.53% <0.00%> (-7.70%)	⬇️
go/consensus/tendermint/apps/staking/auth.go	70.37% <0.00%> (-7.41%)	⬇️
go/consensus/tendermint/apps/staking/state/gas.go	80.70% <0.00%> (-3.51%)	⬇️
go/oasis-node/cmd/stake/delegations.go	78.99% <0.00%> (-1.69%)	⬇️
go/storage/client/client.go	83.57% <0.00%> (-1.43%)	⬇️
go/worker/keymanager/worker.go	65.74% <0.00%> (-1.26%)	⬇️
go/consensus/tendermint/abci/state.go	73.76% <0.00%> (-1.17%)	⬇️
... and 31 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5041b59...f2f5168. Read the comment docs.