` 14 D. Mazieres 3/4 Slice is 3 nodes, including self v v v v 1 2 3 4 vote a vote a vote a vote ā accept a) 3/4 v v v v 1 2 3 4 ̄ vote a vote a vote a vote ā ̄ accept vote a b) Fig. 10. Scenarios indistinguishable to v when v does not see bold messages 2 2 THEOREM8. Twointactnodes in an FBAS that enjoys quorum intersection cannot accept contradictory statements. PROOF. Let⟨V,Q⟩beanFBASwithquorumintersectionandletBbeitsDSetofbe- fouled nodes (which exists by Theorem 3). Suppose an intact node accepts statement a. Let v be the first intact node to accept a. At the point v accepts a, only befouled nodes in B can claim to accept it. Since by the corollary to Theorem 7, B cannot be v-blocking, it must be that v accepted a through condition 1. Thus, v identified a quorum U such that every node claimed to vote for or accept a, and since v is the first intact node to ac- cepta,itmustmeanallnodesinU⧵Bvotedfora.Inotherwords,vratifiedain⟨V,Q⟩B. Generalizing, any statement accepted by an intact node in ⟨V,Q⟩ must be ratified in B B ⟨V,Q⟩ . Because B is a DSet, ⟨V,Q⟩ enjoys quorum intersection. Because addition- ally B contains all ill-behaved nodes, Theorem 4 rules out ratification of contradictory statements. 5.4. Accepting is not enough Unfortunately, for nodes to assume the truth of accepted statements would yield sub- optimal safety and liveness guarantees in a federated consensus protocol. We discuss the issues with safety and liveness in turn. To provide some context, we then explain whytheseissues are thornier in FBA than in centralized Byzantine agreement. 5.4.1. Safety. Consider an FBAS ⟨V,Q⟩ in which the only quorum is unanimous consent—i.e., ∀v,Q(v) = {V}. This ought to be a conservative choice for safety—don’t doanythingunlesseveryoneagrees.Yetsinceeverynodeisv-blockingforeveryv,any node can single-handedly convince any other node to accept arbitrary statements. The problem is that accepted statements are only safe among intact nodes. But as discussed in Section 4.1, the only condition necessary to guarantee safety is quorum intersection of well-behaved nodes, which might hold even in the case that some well- behavednodesarebefouled.Inparticular,whenQ(v) = {V},theonlyDSetsareçandV, meaning any node failure befouls the whole system. By contrast, quorum intersection holds despite every B ⊆ V. 5.4.2. Liveness. Another limitation of accepted statements is that other intact nodes maybeunabletoacceptthem.Thispossibilitymakesrelianceonacceptedstatements