Delegated Byzantine Fault Tolerance: Technical details, challenges and perspectives

Delegated Byzantine Fault Tolerance: Technical details, challenges and perspectives

Several studies in the blockchain literature have explored partially synchronous and fully asynchronous Byzantine Fault Tolerant (BFT) systems. However, few of them have been applied in a real-world scenarios - i.e. where multiple distinct decentralized applications use the same BFT system.

Distinct to other prior works in the literature, this paper proposes a BFT consensus mechanism with one block finality in the first layer. One block finality offers significant advantages for real-world applications - For example, end users, merchants, and exchanges can be confident that their transactions were definitively processed and that there is no chance for them to be reverted. Besides its significant advantages, satisfying this set of requirements poses additional constraints, vulnerabilities and challenges when compared to other consensus applications dealt in the literature.

The goal of this technical material is to highlight the main adaptations from the classical Practical Byzantine Fault Tolerance (pBFT) to the Delegated Byzantine Fault Tolerance (dBFT) currently used in some blockchain implementations (NEO for example). Furthermore, it describes a novel mathematical model that is able to verify specific consensus behavior by means of a discrete model which can simulate its operation in real cases. While highlighting the positive aspects of the dBFT consensus system, this document also has the goal of pointing out possible faults and future research & development directions.

Background on Practical BFT

Practical BFT was first made possible by the work of Miguel Castro and Barbara Liskov (see Figure 1), entitled "Practical Byzantine Fault Tolerance".

Figure 1: Turing-Prize winner Barbara Liskov on 2010. Wikipedia CC BY-SA 3.0

Given ?? = 3?? +1 replicas of a State Machine, organized as Primary and Backup nodes, the proposed algorithm guarantees liveness and safety to the network, if at most f nodes are faulty/Byzantine (the name Byzantine refers to arbitrary behavior, and was coined by Leslie Lamport and others in the paper "The Byzantine Generals Problem").

  • Safety property ensures that all processes will execute as atomic, either executing on all nodes, or reverting as a whole. This is possible due to the deterministic nature of the process (executed on every node), which is also valid for blockchain protocols in general.
  • Liveness guarantees that the network won't be stopped (unless more than f byzantine nodes exist), by using a mechanism called "change view", which allows Backup nodes to switch Primary node when it seems Byzantine, as well as when quorum of the majority is not achieved. A timeout mechanism is used, and by doubling delays exponentially at every view, pBFT can prevent attacks from malicious network delays that cannot grow indefinitely. In the current formula, timeout happens following a left-shift operator according to the current view number, for example:
  • Considering 15 second blocks: 15 << 1 is 30s (first change view); 15 << 2 is 60s; 15 << 3 is 120s; 15 << 4 is 240s.
  • Considering 1 second blocks: 1 << 1 is 2s; 1 << 2 is 4s; 1 << 3 is 8s; 1 << 4 is 16s.

In addition, timeout is postponed each time that the protocol detects that nodes are reaching an agreement on the current block. For example, it is currently set to around 40% of block time when PrepareRequest or PrepareResponse payloads are received, while 80% for Commits. The reasoning behind this is that Consensus Nodes can delay their timeouts when they believe in the current network topology. Thus, timeout may have two time parcels, one fixed (according to the current view) and another one that is represented in terms of increments. It should be noticed that the fixed portion do not increase until the node does not move to a higher view. Timers might expire more than 1 time for each view, rebroadcasting its current change view request. Without loss of generality this can happen since change view is considered to be a locked state.

Regarding the locked state, it should be noticed that after requesting ChangeView the node still can be unlocked. The latter happens only in a special condiction, in which, at least, f nodes are known as lost or committed.

The considered network on pBFT assumes that it "may fail to deliver messages, delay them, duplicate them, or deliver them out of order". They also considered public-key cryptography to validate the identity of replicas, which is also the same for most dBFT implementations. Since the algorithm does not rely on synchrony for safety, it must rely on it for liveness (this was demonstrated by paper "Impossibility of distributed consensus with one faulty process"). The resiliency of 3f+1 is optimal for a Byzantine Agreement, with at most f malicious nodes.

pBFT correctness is guaranteed by having three different phases: pre-prepare, prepare and commit (dBFT 2.0 also consists of three phases, with a slight naming change: prepare request, prepare response, and commit).

  • On pre-prepare, primary sends a sequence number k together with message m and signed digest d. Backup i accepts pre-prepare if the signature is correct, k is in the valid interval (a special technique avoids the exhaustion of sequence number space by faulty primary), and i has not yet accepted a pre-prepare for the same k and the same view.
  • When pre-prepare is accepted, a prepare message is broadcast (including to primary), and a node is considered prepared when it receives at least 2f prepare messages that match its local pre-prepare, for the same view. So, at this point, for a given view, the non-faulty replicas already agree on the total order for requests. As soon as 2f +1 non-faulty nodes are prepared, the network can be considered as committed.
  • Every committed replica broadcasts a commit message, and as soon as node i has received 2f+1 commit messages, node i is committed-local. It is guaranteed that, eventually, even with the occurrence of change views, a system with committed-local nodes will become committed.

pBFT considers that clients interact and broadcast messages directly to the primary node, then receiving independent responses from 2f+1 nodes in order to move forward (to the next operation). This is a similar situation for most blockchains, where information is spread by means of a peer-to-peer network, but in this case, the location of consensus nodes is unknown (in order to prevent direct delay attacks and denial of service). One difference is that, for pBFT, clients submit atomic and independent operations for a unique timestamp, which are processed and published independently. For NEO blockchain, consensus nodes have to group transactions into batches, called blocks, and this process may lead to the existence of thousands of valid blocks for the same height, due to different groupings (different combinations of transactions). So, in order to guarantee block finality (a single and unique block can exist in a given height), we may have to consider situations where the "client" (block proposer) is also faulty, which is not considered in pBFT.

dBFT core modifications

In summary, we highlight some differences between pBFT and dBFT:

  • One block finality to the end-users and seed nodes;
  • Use of cryptographic signatures during different phases of the procedures in order to avoid exposure of nodes commitment to the current block;
  • Ability to propose blocks based on information shared through block headers (transactions are shared and stored in an independent synchronization mechanism);
  • Avoid double exposure of block signatures by not allowing view changes after the commitment phase;
  • Regeneration mechanism able to recover failed nodes both in the local hardware and in the network P2P consensus layer.

dBFT detailed description

The dBFT consensus mechanism is a state machine, with transitions depending on a round-robin scheme (to define Primary/Backup nodes) and also depending on network messages.

dBFT states

dBFT states are the following:

  • Initial : initial machine state;
  • Primary : depends on block height and view number;
  • Backup : true if not Primary, false otherwise;
  • RequestSentOrReceived : true if a valid signature of Primary has been received, false otherwise;
  • ResponseSent : true if block header confirmation has been sent;
  • CommitSent : true if block signature has been sent;
  • BlockSent : true if block has been sent, false otherwise;
  • ViewChanging : true if view change mechanism has been triggered, false otherwise;
  • MoreThanFNodesCommittedOrLost : true in the case that more than f nodes are locked in the committed phase or considered to be lost;
  • IsRecovering : true if a valid recovery payload was received and is being processed.

The first dBFT handled these states explicitly as flags (ConsensusState enum). However, dBFT can infer this information in a implicit manner, since it has added a track of preparations signatures and state recovery mechanisms.


Figure 2 presents the State Machine replicated on each consensus node (the term replica or node or consensus node may be considered synonyms for this subsection). The execution flow of a State Machine replica begins on the Initial state, for a given block height H on the blockchain. Given T as standard block time (15 seconds); v as current view number (starting from v=0); exp(j) is set to 2^ji as consensus index; as total number of consensus nodes. This State Machine can be represented as a Timed Automata, where C represents the clock variable and operations (C condition)? represent timed transitions (C:=0 resets clock). Dashed lines represent transitions that explicitly depend on a timeout behavior and were included in a different format for clarity.

Figure 2: dBFT 2.0 State Machine for specific block height

On Figure 2, consensus node starts on Initial state, on view v=0. Given H and v, a round-robin procedure detects if current node i is Primary: (H + v)\mod R = i (it is set to backup otherwise). If node is Primary, it may proceed to RequestSentOrReceived after SendPrepareRequest action (that selects transactions and creates a new proposed block) after T seconds. If node is Backup, it needs to wait for a OnPrepareRequest action. After clocks expire, nodes may enter a ViewChanging state, what guarantees liveness to the network in case of failed Primary. However, CommitSet state guarantees that no view change occurs, as the node is already committed to that specific block (so it won't provide signature to any other block on that height). Since this could compromise the liveness of the network, a Recovery process was proposed (see Figure dbft-v2-recover). EnoughPreparations, EnoughCommits and EnoughViewChanges depend on having enough valid responses that surpass the byzantine level M (thus, respecting maximum number of faulty nodes f). T is currently calculated as a basin on the time that the node received last block instead of checking the timestamp in which previous header was signed.

Block finality

Block finality in the Consensus layer level imposes the following condition presented on the equation below, which defines that there should not exist two different blocks for a given height h, in any time interval t.

No alt text provided for this image

In summary, the block finality provides that clients do not need to verify the majority of Consensus for SMR. In this sense, seed nodes can just append all blocks that possess the number of authentic signatures defined by the protocol (namely, M = 2f+1). In this sense, as already described for the current dBFT implementation, the minimum number of required signatures is 2f+1 as defined in The Byzantine Generals Problems, where

No alt text provided for this image

is the maximum number of Byzantine nodes allowed by the network protocol.

Multiple block signature exposure

Detected fault on dBFT v1.0

Known Block Hash stuck fork was recently discovered in real operation of NEO blockchain, 2017.

In particular, this happens due to two components of the Blocks that are selected by each node that is a primary:

  • Different sets of Transactions;
  • Block Nonce.

In particular, the NEO dBFT 1.0 had a simplified implementation of the pBFT without the commit stage.

However, it was detected that under rare situations a given node could receive the desired M signatures necessary for persisting a Block, and then suddenly lose connection with other nodes. In this sense, the other nodes could detect a lack of communication (along with other fails between themselves) and generate a new block. Besides breaking block finality, this problem could halt the consensus node and any client that persists the block that was not adopted by the majority of Consensus Nodes. In addition, in a even more rare situation, x nodes with f + 1 < x < M could receive a given block while the other nodes had a different block hash, halting the whole network until a manual decision was reached.

It is noteworthy that even in an Asynchronous Consensus without timeout mechanism this case could lead to problems if the Nonce was not yet defined as well as the transactions to be inserted inside a Block. This real incident motivated several novel insights on the consensus, which covered this "natural" issue due to network as well as added extra security in case of real Byzantine nodes.

Commit phase with change view blocking

Taking into account that the aforementioned fault could happen even with the commit phase, one should verify that nodes could become stuck but not double expose its signature. On the other hand, other attacks could happen if malicious nodes tried to save the signature and perform some specific sets of actions, such as storing information and not sharing it.

In this sense, the possibility that naturally came was:

  • Lock view changing (currently implemented since NEO dBFT 2.0) after sending the block header signature. This means that those who are committed with that block will not sign any other proposed Block.

On the other hand, a regeneration strategy sounded compulsory to be implemented since nodes are stuck with their agreement. We defined this as the indefatigable miners problem, defined below:

  1. The speaker is a Geological Engineer and is searching for a place to dig for Kryptonite;
  2. He proposes a geographic location (coordinates to dig);
  3. The majority of the team (M) agrees with the coordinates (with their partial signatures) and sign a contract to dig;
  4. Time for digging: they will now dig until they really find Kryptonite (no other place will be accepted to be dug until Kryptonite is found). Kryptonite is an infinitely divisible crystal, thus, as soon as one finds it he will share the Kryptonite so that everyone will have a piece for finishing their contract (3);
  5. If one of them dies, when it resurrects it will see its previous signed agreement (3) and it will automatically start to dig again (Regeneration strategy). The other minority will suffer the same, they will be fulfilled with hidden messages saying that they should also dig.

This strategy keeps the strength of the the dBFT with the limit of a maximum number of f faulty nodes. In addition, it adds robustness with a survival/regeneration strategy.


The Recover/Regeneration event is designed for responding to a given failed node that lost part of the history. In addition, it also has a local backup that restores nodes in some cases of hardware failure. This local level of safety (which can be seen as a hardware faulty safety) is essential, reducing the chance of specifically designed malicious attacks.

In this sense, if the node had failed and recovered its health, it automatically sends a change_view to 0, which means that that node is back and wants to hear the history from the others. Thus, it might receive a payload that provides it the ability to check the agreements of the majority and come back to real operation, helping them to sign the current block being processed.

Following these requirements, dBFT 2.0 counted with a set of diverse cases in which a node could recover its previous state, both previously known by the network or by itself. Thus, the recovery is currently encompassing:

  • Replay of ChangeView messages;
  • Replay of Primary PrepareRequest message;
  • Replay of PrepareResponse messages;
  • Replay of Commit messages.

The code can possibly recover the following cases:

  • Restore nodes to higher views;
  • Restore nodes to a view with prepare request sent, but not enough preparations to commit;
  • Restore nodes to a view with prepare request sent and enough preparations to commit, consequently reaching CommitSent state;
  • Share commit signatures to a node that is committed (CommitSent flag activated).

Figure 3 summarizes some of the current states led by the recovery mechanisms, which is currently sent by nodes that received a change view request. Recover payloads are sent by a maximum of f nodes that received the ChangeView request. Nodes are currently selected based on the index of payload sender and local current view. It should be noticed that OnStart events trigger a ChangeView at view 0 in order to communicate to other nodes about its initial activity and its willingness to receive any Recover payload. The idea behind this is that a node that is starting late will probably find some advanced state already reached by the network.

Here, the internal state IsRecovering, differently than the ResponseSent state, is didactically reproduced for simplifying the possible effects that a Recover message can trigger. In this sense, without loss of generality, arrows that arrive on it can be directly connected with the ones that leave it.

Figure 3: dBFT 2.0 State Machine with recover mechanisms

dBFT 2.0 Algorithm

The dBFT algorithm determines the next-consensus-round validators based on real-time blockchain voting, which effectively enhances the efficiency of the algorithm, and saves block time and transaction confirmation time. dBFT2.0, as an upgraded version, improves robustness and safety by introducing the 3-stage consensus mechanism as well as a recovery mechanism.


  • Consensus Node: Nodes that can propose a new block and vote for the proposed block
  • Normal Node: Nodes that can transfer and create transactions, are also ledges, but can neither propose new blocks nor vote
  • Speaker: Validator in charge of creating and broadcasting a proposal block to the network
  • Delegate: Validator responsible for voting on the block proposal
  • Candidate: Account nominated for validator election
  • Validator: Account elected from candidates to take part in consensus
  • View: Referred to the dataset used during a round of consensus. View number v starts from 0 in each round and increases progressively upon consensus failure until the approval of the block proposal, and then is reset to 0.

Consensus Message

Six types of consensus messages are defined in dBFT2.0:

  • Prepare Request: Message for starting a new round of consensus
  • Prepare Response: Message informing other validators that all necessary transactions have been collected for block creation
  • Commit: Message informing other validators that enough Prepare Response messages have been collected
  • Change View Request: Message of view changing attempt
  • Recovery Request: Request for consensus data synchronization
  • Recovery Message: Response to Recovery Request message

Consensus Flow

3-Stage Consensus Flow

No alt text provided for this image

A round of consensus consists of 4 steps, as shown in the Figure above:

  1. Speaker starts consensus by broadcasting a Prepare Request message
  2. Delegates broadcast Prepare Response after receiving the Prepare Request message
  3. Validators broadcast Commit after receiving enough Prepare Response messages
  4. Validators produce & broadcast a new block after receiving enough Commit messages

Here we introduce two variables as follows:

No alt text provided for this image

where N is the number of validators.

A normal algorithm flow is shown below.

No alt text provided for this image

1) Initialize local consensus information

  1. Initialize consensus context
  2. Set the validator whose index equals (h - v) mod N as the speaker. Here h is current block height, v is the current view, and N is the number of validators
  3. Set speaker's timeout to Tblock (Block time, currently 15s) and delegates' timeout to 2v+1*Tblock
  4. Broadcast the Recovery Request message to acquire the current consensus context

2) Validators listen to the network and collect transactions until timeout

3) Start consensus

  • For speaker:
  1. Select transactions from memory pool according to consensus policy after Tblock, create and broadcast Prepare Request message with these transactions' hashes to start a new round of consensus
  2. Package and broadcast each 500 selected transactions
  3. Set timeout to (2v+1- k(v))*Tblock, where
No alt text provided for this image
  • For delegates:

In case of receiving Prepare Request from the speaker before timeout:

  1. Verify the validity of the message and whether it conforms to the local consensus context
  2. Prolong local timeout by (2 * Tblock)/M
  3. Update local consensus context
  4. For each hash contained in the message, attempt to acquire corresponding transactions from memory pool or unverified transaction pool, and add these transactions to consensus context
  5. Ask for transactions not found in step 4 from other nodes

Otherwise, attempt to change view.

4) Broadcast Prepare Response

If a delegate collects all transactions required in Prepare Request before timeout:

  1. For each transaction received, in case of transaction verification failure or against consensus policy, attempt to change view, otherwise add the transaction to consensus context
  2. Broadcast Prepare Response message
  3. Prolong local timeout by (2 * Tblock)/M

Otherwise, attempt to change view.

5) Collect Prepare Response and broadcast Commit

For the speaker and delegates who have received Prepare Request, if Prepare Response messages from M different delegates are received before timeout:

  • For each Prepare Response message received:
  1. Verify the validity of the message and whether it conforms to the local consensus context
  2. Prolong local timeout by (2 * Tblock)/M
  • Broadcast Commit message

Otherwise, attempt to change view.

6) Collect Commit message and create new block

For each validator already having all transactions required in Prepare Request message, in case of Commit messages from M different validators received:

  • For each Commit message received:
  1. Verify the validity of the message and whether it conforms to the local consensus context
  2. Prolong local timeout by (4 * Tblock)/M
  • Create and broadcast the new block

Otherwise, broadcast the Recovery Message, and set the timeout to 2*Tblock

7) Go back to step 1 to start a new round of consensus.

Change View Request

Triggering conditions

  • If the transaction verification fails, the delegate will broadcast Change View Request attempting to replace speaker
  • In case of timeout while waiting for Prepare Request or Prepare Response, the delegate will broadcast Change View Request, attempting to replace the speaker


No alt text provided for this image
  1. Set the timeout to 2v+2* Tblock
  2. If the sum of nodes with Commit sent and fault nodes (referring to the validators from which no other validator receives messages during a block time) is greater than F, broadcast Recovery Request message
  3. Otherwise, broadcast Change View Request message, and check the amount of Change View Request received. If not less than M validators reach consensus upon view changing, change local view, initialize local consensus context, and determine the next round's speaker according to new view.

Process logic

When a validator receives Change View Request message:

  1. If the message's view is not greater than the local view, this message will be handled as Recovery Request
  2. Verify the validity of the message
  3. Check the amount of Change View Request received. If not less than M validators reach consensus upon view changing, change the local view, initialize local consensus context, and determine next round's speaker according to new view
No alt text provided for this image

Recovery Request Message

Triggering conditions

  • Broadcast Recovery Request message upon enabling the consensus policy to update local consensus context
  • Upon creating Change View Request, if there are not enough active validators (sum of nodes with Commit sent and fault nodes is greater than F), broadcast Recovery Request message to update the local consensus context

Process logic

Upon receiving Recovery Request, a validator will generate and broadcast Recovery Message only if the following conditions are met:

  • This node has already broadcast Commit message
  • This node's index belongs to the given interval:
No alt text provided for this image

, where j is the index of Recovery Request sender

No alt text provided for this image

Recovery Message


  • Change View Request messages from no more than M delegates
  • Prepare Request/Response messages
  • Commit messages

Triggering conditions

  • Upon receiving Recovery Request message, if this node has already broadcast Commit message or its index belongs to the given interval:
No alt text provided for this image

, where j is the index of Recovery Request sender

  • Upon receiving Change View Request message, if the message's view is not greater than the local view, this message is handled as Recovery Request
  • In case of a timeout while waiting for Commit message, broadcast Recovery Message to resend Commit message (common in network issues)

Process flow

  1. Verify the validity of the message and the local consensus context. If the message's view is greater than the local view, and this node has already sent Commit message, ignore this message
  2. Otherwise, if the message's view is greater than the local view, handle Change View Request messages inside
  3. If the message's view equals local view:
  • Handle Prepare Request message inside
  1. If this node has neither sent nor received Prepare Request message, handle Prepare Request message inside
  2. Otherwise if this node is the speaker, broadcast Prepare Request message
  • Handle Prepare Response messages inside
  1. If the message view is not greater than the local view, handle Commit messages inside
No alt text provided for this image

The mechanism with Change View Request, Recovery Request and Recovery Message can keep consensus safe from timeout caused by the network, abnormal nodes (malicious nodes, fault nodes, etc.) and other issues.

Consensus Policy

Consensus policy is used in the following scenarios:

  • Upon receiving transactions from other nodes, nodes will perform verification to filter out transactions against consensus policy
  • Upon receiving transactions, the consensus module needs to verify whether these transactions satisfy the consensus policy, if not, it will attempt to change the view
  • Validator needs to filter transactions in its context upon enabling the consensus policy, only confirmed transactions can be added into the memory pool
  • The speaker needs to select transactions from memory pool according to the consensus policy for new Prepare Request

Possible faults

Pure network faults

Possible scenarios:

  • Up to f nodes are going to delays messages;
  • at maximum, will crash both in terms of hardware fault or software problems.

Mixed malicious Byzantine faults

First of all, Byzantine attacks should be designed in order that nodes will never be able to prove that it was an attack. Otherwise, holders would recriminate such actions and vote in favor of other nodes. Furthermore, nodes that join a given collaborative network possess an identity or stake. If anyone could detect such malicious behavior, then, that node would "automatically" (through the current voting system or an automatic mechanism that could be designed) be removed from the network.

  • at maximum, f, nodes will delays messages;
  • at maximum, f, nodes will send incorrect information (unlikely as it could reveal malicious behavior);
  • at maximum, f, nodes will try to keep correct information for strategic occasions.

A MILP Model for Failures and Attacks on a BFT Blockchain Protocol

We present a MILP model for failures and attacks on a BFT blockchain protocol, in particular, the design is focused on the specific case of dBFT, without loss of generality for other less specialized cases.

This current model is not fully completed due to the recent updates on dBFT to version 2.0. After being finalized it will include some benchmark results modeled with A Mathematical Programming Language (AMPL), currently under development at

Source: Neo dBFT 2.0 Specification, dBFT 2.0 Algorithm


