# Beyond the Whitepaper: Where BFT Consensus Protocols Meet Reality - **Authors**: ZK/SEC - **Date**: August 05, 2024 - **Tags**: educative, consensus, formal-verification We just released a paper on the security of Byzantine Fault Tolerant (BFT) consensus protocols in collaboration with Matter Labs and Sigma Zero. The paper is a collection of lessons learned from analyzing the real-world security of various BFT consensus protocol implementations. [You can find the paper on eprint](https://eprint.iacr.org/2024/1242). ![BFT consensus paper](https://i.imgur.com/7OUm1ev.png) Here is the abstract: > This paper presents a collection of lessons learned from analyzing the real-world security of various Byzantine Fault Tolerant (BFT) consensus protocol implementations. Drawing upon our experience as a team of security experts who have both developed and audited BFT systems, including BA$\bigstar$, HotStuff variants, Paxos variants, and DAG-based algorithms like Narwhal and Bullshark, we identify and analyze a variety of security vulnerabilities discovered in the translation of theoretical protocols into real-world code. Our analysis covers a range of issues, including subtle logic errors, concurrency bugs, cryptographic vulnerabilities, and mismatches between the theoretical model and the implementation. We provide detailed case studies illustrating these vulnerabilities, discuss their potential impact, and propose mitigation strategies. This work aims to provide valuable insights for both designers and implementers of BFT consensus protocols, ultimately contributing to the development of more secure and reliable distributed systems. --- This article was published on the [ZK/SEC Quarterly](https://blog.zksecurity.xyz) blog by [ZK Security](https://www.zksecurity.xyz), a leading security firm specialized in zero-knowledge proofs, MPC, FHE, and advanced cryptography. ZK Security has audited some of the most critical ZK systems in production, discovered vulnerabilities in major protocols including Aleo, Solana, and Halo2, and built open-source tools like [Clean](https://github.com/Verified-zkEVM/clean) for formally verified ZK circuits. For more articles, see the [full list of posts](https://blog.zksecurity.xyz/llms.txt).