Why 2/3+?

Byzantine Fault Tolerance (BFT) consensus requires strictly more than >2/3 of the stake to be honest for system safety – meaning the network tolerates up to, but not including, <1/3 faulty stake.

The principle is easier to learn from an example. Let's look at it:

• 9 nodes | f=2 – a network of 9 nodes can tolerate 2 faulty nodes.
  • quorum: ⌈(2·9)/3⌉ = 6
• 10 nodes | f=3 – a network of 10 nodes can tolerate 3 faulty nodes.
  • quorum: ⌈(2·10)/3⌉ = 7

When learning Byzantine principles, it's easy to confuse different system properties. I would highlight two terms – two conditions that govern the system:

• Safety – honest stake must stay strictly greater than 2/3.
• Liveness – at least 2/3 of the honest stake must be online.

These two rules can fail independently: if not enough honest nodes are online, liveness fails and the network stalls. If Byzantine stake reaches 1/3, safety fails and conflicting blocks can be finalized simultaneously.

In Proof-of-Stake (PoS) protocols, stake defines voting power and accountability for system safety – the greater the stake, the greater the slashing. However, the stake is only one side of the story – the other is how blocks are actually finalized (consensus).

Quorum

PoS+BFT consensus is analyzed in time slots via an equivocation attack, in which 2 realities both finalize, potentially breaking the system and leaving the chain in a state where the protocol has no way to pick a winner.

Why not 51%, 66%, maybe 90%, or even 100%?

BFT protocols (partially) synchronize voting for a block, giving fast finalization.

Quorum Q is how many nodes out of N are needed to vote for a block to accept it.

More generally, how much of the stake is needed to vote... (2/3+! But why, right?)

In PoW (Proof-of-Work), there are no time slots, and finalization is probabilistic - ~51% of hash power on the longest chain fork "generally wins".

In PoS, there are time slots. A single node serves as the proposer (the leader). The reason is to avoid situations in which multiple blocks legally compete for the same time slot. This makes the system simpler and easier to analyze against a wide range of attacks.

Achieving 100% is unrealistic: some nodes may go offline, receive delayed notifications, or be dishonest (Byzantine). In other words, how many faulty nodes f can be tolerated without the system being compromised (<1/3 😉)?

Equivocation Attack

A leader can be malicious and may produce 2 conflicting blocks or send a single block to a particular set of voters.

An equivocation attack occurs when a validator or node in a distributed network presents conflicting, inconsistent information to different parts of the network, breaking consensus rules to gain an advantage.

Two blocks go to different voters, and not to the same ones, because this is detectable and slashable – the proposer risks losing their stake. An honest voter can use two signed blocks from a single proposer as evidence of a crime.

Overlapping Quorums

If two conflicting blocks both finalize, their voter sets must overlap.

Honest nodes are maximally split. Double-voted nodes are ALL byzantine.

1. An honest node won't vote for two conflicting blocks, so it is never part of the overlap.
2. If an honest node were in the overlap, it would reveal the double voting.

Now, important:

Let's go through some calculations and find Q and f!

• 2Q – two quorums;
• 2Q > N – when two quorums overlap, their total count is greater than the total number of nodes;
• 2Q-N = overlap – the count of overlapped nodes is the difference between 2Q and N;
• overlap > f is needed for safety because there must NOT be honest nodes in the overlap;
• therefore, 2Q-N > f

Safety: 2Q-N > f – we need the overlap to contain at least one honest node, so the double-voting FAILS.

Liveness: N-f ≥ Q – honest votes should be enough to reach a quorum.

Two constraints must hold at once.

Solving the System

N+f < 2Q ≤ 2(N−f)
N+f < 2N − 2f
3f  < N
f   < N/3

We reached the conclusion!

Typically, we can see the 2/3 principle looks like this:

The protocol works as long as no more than 1/3 of the nodes are faulty (Byzantine), and more than 2/3 are honest.

1. If quorum Q had been defined as "51%", then the faulty nodes could have vote for both blocks, finalizing two conflicting realities and breaking the system (equivocation attack!).
2. With higher quorum, the byzantine nodes are forced to vote for a single block.

Attack Variation: No double-voting is assumed

Let's consider a case where all "faulty" nodes try to push block A to be voted for.

Without creating two conflicting valid quorums, it doesn't break the system. However, without double voting, it's a more practical attack.

I realized that this is a variation of MEV – some validators are trying to push a more "interesting", profitable, but still valid block. Again, it doesn't break the system.

Still, from this case we can see derive the same 2/3 rule, if the nodes are maximally split:

• (N-f)/2 votes for A,
• (N-f)/2 votes for B.

Byzantine nodes don't reveal themselves – they all pile onto A, silently voting with(N-f)/2 + f = (N+f)/2.

Safety: (N+f)/2 < Q – we need the faulty nodes to FAIL to push a block A over quorum.

Liveness: N-f ≥ Q – honest votes should be enough to reach a quorum.

Solving the System

N+f < 2N−2f
3f  < N
f   < N/3

Intuitively, in this particular case, it actually means this:

1. Block B does not have enough votes to reach a quorum - (N-f)/2 is less than half of the nodes.
2. Block A might have enough votes, but only if there are "too many" faulty nodes (more than 1/3).

Infographics