When MongoDB is started with --repair, the repair process will attempt to salvage data at the expense of potential data loss so that MongoDB can be started normally.

If a user is unaware they have lost data, they may attempt to add the node back to its original replica set. In the worst-case scenario, this node will become primary and data will appear to go missing.

There are currently no measures in place to prevent a secondary with data modified offline from re-joining its original replica set (even without repair).

Solution: If repair modifies storage metadata or collections (not indexes), repair will add a top-level field "repaired: true" to the local.system.replset configuration document. This will invalidate the document and prevent the node from re-joining as a member of the replica set. When the server starts up again normally, a warning will be printed with instructions for performing a re-sync.

Additionally, if a repair operation fails for any reason, the node will be unable to start up again without the --repair option. The presence of a "_repair_incomplete" file in the dbpath indicates that a repair operation did not complete, and will prevent a mongod from starting up.