Blockchain Proportional Governance

Reconfiguration: Mitigating a Governance Oligarchy

Deepal Tennakoon Vincent Gramoli
University of Sydney University of Sydney
Sydney, Australia Sydney, Australia
[email protected] [email protected]

Abstract—Blockchain governance is paramount to lead securely governors [7], [8], [3], [9]. Given the skewed distribution of
a large group of users towards the same decisions without wealth, this can inadvertently create an oligarchy.
disputes about the legitimacy of a blockchain instance over Second, an adversary can form an oligarchy by corrupting
another. As of today, there is no efficient way of protecting this
governance against an oligarchy. This paper aims to offer a new governors in a committee with a bribe. Such bribery attacks on
dimension to the security of blockchains by proposing a solution governors are a potent threat because governors in blockchains
known as proportional governance reconfiguration. This solution are usually limited in number [9], [3] and therefore forming
mitigates the formation of an oligarchy by (1) electing governors an oligarchy among such a limited set is not as challenging as
proportionally using a proportional multi-winner election protocol bribing an entire network of blockchain nodes.
(2) reconfiguring the governance automatically and periodically.
The proportional governance reconfiguration relies on a Solidity To mitigate the two aforementioned methods of forming an
based implementation making it compatible and usable in many oligarchy of governors, we propose proportional governance
smart contract supported blockchains. We prove our solution reconfiguration that is compatible with smart contract
solves the proportional governance problem and we evaluate our supported blockchains.
solution on two smart contract supporting blockchains Ethereum-
PoA and Smart Redbelly Blockchain. Our results indicate that
our proportional governance can elect 200 governors within 6-
The first part of proportional governance reconfiguration
12 minutes when 1000 voters from 5 continents vote for 500 is the proportional governance to tackle the formation of
candidates. an oligarchy among governors through the election process.
Index Terms—Blockchain, Governance, Reconfiguration Proportional governance selects governance users or governors
that proportionally represent the voters. This is to prevent
I. I NTRODUCTION an adversary from creating an oligarchy in the governance.
Proportionality is a concept widely used in social choice theory
The notion of governance, which is generally understood to elect a set of candidates fairly to a legislative body [10].
as the processes relied upon to make decisions and modify In general terms, proportionality ensures that a diverse set of
the protocol, has become an important topic in blockchain [1], candidates are elected ensuring even the minority voters are
[2], [3]. In the context of blockchains, governance can include represented in a legislative body.
decisions such as updating the blockchain protocol, varying As multiple governors need to be elected to a blockchain gov-
blockchain parameters (e.g., changing the block period), and ernance committee, we needed a multi-winner election protocol.
deciding upon a block to be executed (e.g., reaching consen- Thus, we used the Single Transferable Vote (STV) protocol [11],
sus) [3], [4]. The absence of governance has led users to create used for example to elect the Australian senate [12]. STV
dissident instances of the two largest blockchains: Bitcoin is outputs a set of candidates proportionally representative of the
now split into BTC and BCH while Ethereum is now split into voted preferences. However, the STV protocol is synchronous:
ETH and ETC [5], [6]. a voter simply has to cast a vote within a limited known
A pernicious threat in blockchain governance is the risk of period of time for its vote to be counted when tallying votes.
an attacker controlling an oligarchy amongst the governors. If Blockchains instead operate in a general network (e.g., the
this happens the oligarchy can dictate the decisions to modify Internet) where the communication is not synchronous1 and
the blockchain protocol making the blockchain governance where Byzantine nodes can arbitrarily delay messages. Thus,
centralized. There are two methods which can create an the STV protocol executing on a blockchain with n nodes that
oligarchy in blockchain governance. waits for votes from all n nodes cannot progress if Byzantine
First, an oligarchy can be formed in the blockchain voters do not cast votes. This is because one cannot distinguish
governance through the governance election process. More a slow voter from a Byzantine voter due to the upper bound
specifically, modern blockchains, which have mostly replaced on the message delay being unpredictable.
Proof-of-Work (PoW) with Proof-of-Stake (PoS) to improve 1 Synchronous communications assume the transmission delay of the
performance, elect governors based on their stake providing messages/votes sent over the communication links is bounded by a known
more opportunities to those that have a higher stake to become value [13]

1
 Blockchain Election
Tendermint [16] None
Algorand [7] Sortition
Hybrid consensus [17] PoW puzzle
Zilliqa [18] PoW puzzle
OmniLedger [19] Sortition
RapidChain [15] PoW puzzle
ComChain [20] None
Libra [21] None
SmartChain [22] None
Polkadot [23] Multi-winner approval voting
EOS [9] Multi-winner approval voting
This work (compatible with any blockchain) Multi-winner preferential voting
TABLE I
B LOCKCHAINS WITH GOVERNANCE RECONFIGURATION DO NOT SOLVE THE
PROPORTIONAL GOVERNANCE PROBLEM (D EF. 1)
To solve this problem, we develop a variant of STV known
as BFT-STV that offers (1) the same proportionality guarantees
as STV, (2) does not assume synchrony and (3) works in
a Byzantine setting s.t. at most t < n/3 of n voters are
Byzantine (we denote f ≤ t as the actual number of Byzantine
voters). The ratio of f comes from (i) the need for voters
to reach consensus on the new set of governors and (ii) the
impossibility of solving consensus with f ≥ n/3 Byzantine
participants in blockchains under the general setting [14].
We implement BFT-STV in a smart contract to make our
proportional governance pluggable and compatible with smart
contract supported blockchains.
The second part of proportional governance reconfiguration
is the governance reconfiguration to reduce the risk of forming
an oligarchy through bribery. During reconfiguration, the
current governors are replaced with new governors based
on an election outcome. Such reconfigurations are used in
notable prior work to mitigate bribery attacks [15], [7], [3]. By
periodically selecting a diverse set of governors proportionally
representative of a sample set, the formation of an oligarchy
through bribery among governors can be mitigated. The
problem is if the current governors do not reconfigure upon
the selection of a set of new governors, the blockchain service
would create a split, leading users to create dissident instances
of the same blockchain [5], [6]. Instead, if all users initially
joining agree that the blockchain self-reconfigures upon a
special smart contract execution, then no split can occur. Thus,
our work proposes an automatic governance reconfiguration
protocol that rotates governors based on a smart contract output.
To the best of our knowledge, the proportional governance
reconfiguration we propose is the first solution that (1) mitigates
an oligarchy among governors and (2) is pluggable and
compatible with smart contract supported blockchains due
to its generality and smart contract based implementation.
In summary, this paper defines the proportional governance
reconfiguration problem (§III), designs a solution for it known
as the proportional governance reconfiguration that is com- In the remainder of this paper, we present the background
patible and pluggable with many smart contract supported and motivations (§II), and the proportional governance recon-
blockchains (§IV and §V), proves the solution correct (§IV-E) figuration problem (§III). Next, we present our solution to this
and evaluates the solution (§VI). Our proposed solution offersproblem in §IV and §V along with proofs that our solution
the following practical contributions: solves the proportional governance reconfiguration problem. In
• We introduce the first Byzantine fault tolerant multi- §VI, we evaluate our solution. Finally, we present the related
winner election protocol, called BFT-STV to elect a work (§VII) and conclude (§VIII).
Proportional Governance
set of governors proportionally in order to mitigate an
no
no oligarchy among governors (§IV). BFT-STV is a new
no
no primitive that augments the STV election protocol to
no
no
work in a setting where at most t < n/3 Byzantine
no
no
voters exist among n voters without assuming synchrony
no (we denote f ≤ t as the actual number of Byzantine
no
no voters). As it is impossible to distinguish a non-responsive
yes
Byzantine voter from a delayed message, we introduce
n−t
a new election quota qB = k+1 where k is the size
of the committee. Interestingly, we show that our BFT-
STV protocol preserves the proportionality of STV while
ensuring termination (§IV-E).
• We implement this new protocol in a smart contract
written in the Solidity programming language, making
our protocol easily compatible and pluggable with smart
contract supported blockchains [24], [25], [26], [27]
(one can reimplement our protocol to make it work
with a different smart contract programming language).
Implementing the BFT-STV protocol on a smart contract
comes with its own technical challenges. First, smart
contracts are public, thus to preserve privacy of votes to
avoid strategic voting, we employ a commit-reveal scheme
(§IV-B). Second, the STV algorithm and our BFT-STV
adaptation of it is NP-hard. Executing such an algorithm
on a smart contract leads to poor performance. Due to
this reason, we integrate an election sharding scheme to
make our solution scalable (§IV-D).
• The BFT-STV smart contract alone is not sufficient
to action the outcome of the election to reconfigure
the blockchain. Thus, we introduce a novel and au-
tomatic reconfiguration protocol that rotates governor
sets periodically based on the BFT-STV smart contract
output. The periodic reconfiguration of governors helps
mitigate bribery attacks launched by slowly-adaptive
adversaries [19], [15]. This mitigates the formation of
an oligarchy among governors. In particular, our protocol
revokes permissions of existing governors to elect new
governors periodically before a large portion of them could
be bribed forming an oligarchy.
• We prove that our protocols are correct (§IV-E and §V).
In particular, we also show that BFT-STV satisfies pro-
portionality without assuming synchrony. Our world-scale
evaluations of BFT-STV with 200 validators of Ethereum-
PoA and Smart Redbelly Blockchain [27] spanning 5
continents can elect 200 governors from 500 candidates
with 1000 voters casting ballots within 6-12 minutes (§VI).
2
 Black [31] was the first to define the proportionality problem
where elected members must represent “all shades of political
opinion” of a society.
Fig. 1. If blockchain nodes disagree on a protocol update then they may start Dummett [32] introduced fully proportional representation
accepting distinct blocks, which results in a hard-fork with a classic version to account for ordinal ballots, containing multiple preferences.
of the blockchain (e.g., ETC, BTC) and a new version of it (e.g., BCH, ETH). Given a set of n voters aiming at electing a committee of k
II. BACKGROUND AND M OTIVATIONS governors, if there exists 0 < ℓ ≤ k and a group of ℓ · qH
who all rank the same ℓ candidates on top of their preference
A. Importance of blockchain governance
orders, then these ℓ candidates should all be elected. However,
The notion of governance in blockchains, which encompasses it builds upon Hare’s quota qH , which is vulnerable to strategic
the processes followed to make decisions impacting the voting whereby a majority of voters can elect a minority of
blockchain protocol has become an important topic recently [1], seats [33]. This problem was solved with the introduction of
[2], [3]. The governance structure includes the identity of parties Droop’s quota qD as the smallest quota such that no more
capable of suggesting changes, the avenue through which such candidates can be elected than there are seats to fill [11].
changes are proposed, the users capable of deciding the changes
and the parties implementing these changes. Due to the large Woodall [34] replaces Hare’s quota with Droop’s quota
n
number of users of a blockchain, governance is especially q = ⌊ k+1 ⌋ and defines the Droop proportionality criterion as
relevant to lead this large cohort towards a common goal. With a variant of the fully proportional representation property: if
a lack of governance, the divergence of opinions may result for some whole numbers j and s satisfying 0 < j ≤ s, more
in the split of the blockchain into multiple instances sharing a than j · qD of voters put the same s candidates (not necessarily
common transaction history but accepting distinct transactions. in the same order) as the top candidates in their preference list,
As an example, consider Figure 1, where blockchain node 1 then at least j of those s candidates should be elected. This is
rejects a software upgrade and keeps accepting old-formatted the property we target in this paper and we simply rename it
blocks whereas blockchain node 2 accepts this upgrade and proportionality (Def.1).
starts accepting blocks in a new format, leading to a hard It is known that the First-Past-The-Post (FPTP) single-winner
fork. The two largest blockchains were victims of such splits: election and the Single Non-Transferrable Vote (SNTV) multi-
Bitcoin is now split into BTC and BCH [6] whereas Ethereum winner election cannot ensure fully proportional representa-
is now split into ETH and ETC [5]. The absence of governance tion [35]. The reason is that voters can only reveal their highest
can draw blockchain users into such clashes. preference.
B. Preventing governance oligarchy This property can however be achieved using the Single
Transferable Vote (STV) algorithm. In STV, candidates are
The biggest challenge is to prevent an attacker from obtaining
added one by one to the winning committee and removed from
the control of the governance potentially forming an oligarchy.
the ballots if they obtain a quota q of votes. STV is used
This is usually tackled through making the governance decen-
to elect the Australian senate and is known to ensure fully
tralized across multiple governors. However, having a fixed set
proportional representation.
of governors can expose these governors to bribery attacks [7],
[15], [19], [28]. Unfortunately, this protocol is synchronous [36] in that its
As blockchains typically handle valuable assets, several quotas generally rely on the number of votes n received within
works already noted the risk for a user to bribe other users to a maximum voting period. As one cannot predict the time it
build an oligarchy capable of stealing these assets [29]. Most of will take to deliver any message on the Internet, one cannot
these works explicitly assume a slowly-adaptive adversary [15], distinguish a slow voter from a Byzantine one. Considering n as
[30], [19] that can corrupt a limited number of nodes between the number of governors or potential voters among which up to
consensus epochs but cannot corrupt participants during an t can be bribed or Byzantine, our protocol only waits for at most
epoch. n − t votes to progress without assuming synchrony. Waiting
To reduce the chances that governance users, or governors for n−t prevents us from guaranteeing that the aforementioned
being bribed, forming an oligarchy, the aforementioned works quotas can be reached. We thus define a new quota called the
n−t
propose governance reconfigurations [7], [15], [19], [28]. None Byzantine quota qB = ⌊ k+1 ⌋ such that t < n/3 and reduce
of these works solve the proportional governance reconfigura- the number of needed votes to start the election to n − t.
tion problem (§III). Based on qB , we propose BFT-STV that extends STV for
a Byzantine fault tolerance environment. We also show that
C. Social choice theory with Byzantine fault tolerance BFT-STV satisfies proportionality without assuming synchrony
To propose meaningful properties for blockchain governance, (§IV-E). Of course, up to t of these n − t ballots may be cast
we draw inspiration from classic work on social choice theory. by Byzantine nodes, however, we show in Theorem 2 that
Given a set of n voters, each casting an ordinal ballot as a no adversary controlling up to t Byzantine nodes can act as
preference order over all m candidates, a multi-winner election a dictator a property known as non-dictatorship proposed by
protocol outputs a winning committee of size k. Arrow [37].

3
III. T HE P ROPORTIONAL G OVERNANCE R ECONFIGURATION committee due to its slowly adaptive nature. Note that a node
P ROBLEM that is not Byzantine is called correct.
Our goal is to solve the proportional governance reconfigura-
tion problem to mitigate a governance oligarchy in blockchains. B. Proportional governance problem
The proportional governance reconfiguration problem encap- We refer to the proportional governance problem as the
sulates (1) the proportional governance problem (§III-B) and problem of designing a BFT voting protocol in which n
(2) the governance reconfiguration problem (§III-C). To put voters rank m candidates to elect a committee of k governors
it simply, first we offer a blockchain governance that allows (k < m and m > n) to ensure non-dictatorship as defined by
distributed users to elect a committee of governors propor- Arrow [37] and proportionality as defined by Dummett [32],
tionally representative of the voters and without dictatorship, Woodland [34] and Elkind et al. [41] (cf. §II-C). The main
which solves the proportional governance problem (§III-B). distinction is that we adapt this problem from social choice
Second, we mitigate bribery attacks by periodically changing theory to the context of distributed computing.
the governors, which solves the governance reconfiguration
problem (§III-C). Definition 1 (The Proportional Governance Problem). The
In this section, we first present the computation model secure governance problem is for a distributed set of n voters,
(§III-A) before defining the proportional governance problem among which f ≤ t < n/3 are Byzantine, to elect a winning
(§III-B), the governance reconfiguration problem (§III-C) and committee of k governors among m candidates (i.e., m > k)
the threat model (§III-D). such that the following two properties hold:
• Proportionality: if, for some whole numbers j, s, and k
A. Byzantine fault tolerant distributed model satisfying 0 < j ≤ s ≤ k, more than j(n − t)/(k + 1) of
We consider a distributed system of n governor nodes also voters put the same s candidates (not necessarily in the
known as a governor committee, identified by public keys same order) as the top s candidates in their preference
I and network identifiers (e.g., domain names or static IP listings, then at least j of those s candidates should be
addresses) A. We assume public key cryptography and that the elected.
adversary is computationally bounded. Hence, only the issuer • Non-dictatorship: a single adversary, controlling up to
of a transaction can sign it and any recipient can correctly f < n/3 Byzantine voters, cannot always impose their
verify the signature. Governor nodes (i) execute the consensus individual preference as the election outcome.
protocol in order to agree on a unique block to be appended
to the chain and (ii) execute transactions and maintain a local The need for these two properties stems from our goal of
2
copy of the state of the blockchain. Client nodes simply send guaranteeing proportional representation (proportionality) but
transaction requests to read from the blockchain (to check an also disallowing a coalition of Byzantine nodes from imposing
account balance), transfer assets, upload a smart contracts or their decision on the rest of the system (non-dictatorship).
invoke a smart contract Candidate nodes m are nodes eligible Note that the non-dictatorship property differs slightly from
to become governors and are voted upon by n current governors the original definition [37] that did not consider a Byzantine
to be included in new governor sets periodically. We assume coalition. In particular, our property considers coalitions and
m >> k s.t. k is the target next governor committee size. prevents them from imposing their preference in “all” cases.
The number of Byzantine nodes in the candidate nodes set is
assumed to be fc s.t. fc ≤ m/4. C. Governance reconfiguration problem
As we target a secure blockchain system running over an We refer to the governance reconfiguration problem as the
open network like the Internet, we consider the strongest fault problem of ensuring blockchain safety despite governance
model called the Byzantine model [39], where nodes can reconfiguration. We adopt the safety property from Garay et
fail arbitrarily by, for example, sending erroneous messages al. [42] and restated more recently by Chan et al. [43] to
or delaying messages. We assume that there is no known governance reconfiguration.
bound on the transmission delay of messages between nodes,
a property called partial synchrony [36]. As governors execute Definition 2 (The Governance Reconfiguration Safety). The
consensus and consensus cannot be solved in our model with first block stored locally after governance reconfiguration by
n/3 Byzantine nodes [39], we assume there are f ≤ n/3 any two correct governor nodes in the governance committee
Byzantine nodes among the governor nodes. We assume a should be equal.
slowly adaptive adversary as many prior works [40], [15], Any two correct governors in the same committee starting
[19] such that the adversary can only corrupt/bribe nodes from the same block ensures that after the governance recon-
between governor reconfigurations (i.e., between committees). figuration, governors start with the same state. Thus, when the
The slowly-adaptive adversary cannot bribe nodes within a governance committee executes the same set of totally ordered
2 The term “client” is often used in Ethereum to refer to a node regardless
new transactions from clients, the state at any two correct
of whether it acts as a server. We use client in the traditional sense of the governors remain identical since the start state is identical.
client-server distinction [38]. This helps satisfy blockchain safety.

4
D. Threat model
As in previous blockchain work [30], [7], [15], [19], we
assume a slowly adaptive adversary with a limited bribing
power that cannot bribe governors within a committee but can
only bribe/corrupt up to fc nodes between reconfigurations
such that fc < m/4 where m is the candidates.
For the initial set of governors to be sufficiently diverse, we
can simply select governors based on their detailed information.
This can be done by requesting initial candidates to go through
a Know-Your-Customer (KYC) identification process, similar to Fig. 2. The smart contract that implements the BFT-STV protocol is on-chain
the personal information requested from the Ethereum proof- ➊, takes as an input a set of at least (n − t) ballots (each ranking k candidates
of-authority network users before they can run a validator among m) cast by (n − t) voters among the n governors ➋ and outputs
a committee of k elected nodes ➌ to play the role of the new governors.
node [44]. A set of governors could then be selected depending Note that the last committee of governors elected will then vote for the next
on the provided information while ensuring multiple governors committee of governors ➋ and so on (one can fix k = n so that the committee
are not from the same jurisdiction, they are not employed by size never changes).
the same company, they represent various ethnicities, they are
of balanced genders, etc.
1) Bribery attack: Limiting the number of nodes responsible same authenticated user from using distinct node identities to
to offer the blockchain service as done in recent open cast votes.
blockchains [45] exposes the service to a bribery attack [29],
IV. B YZANTINE FAULT T OLERANT P ROPORTIONAL
which is an act of offering something to corrupt a participant.
G OVERNANCE
This is because it is typically easier to bribe fewer participants.
In particular, as consensus cannot be solved with at least In this section, we present how to elect, despite f ≤ t < n/3
n
3 Byzantine processes among n when message delays are
Byzantine nodes, a diverse set of governors to mitigate the
n
unknown [36], it is sufficient to bribe 3 governors to lead formation of an oligarchy. The idea is to allow a set of n
correct governors to disagree on the next block appended blockchain nodes that are current governors to vote and elect
to the blockchain and thus create a fork in the blockchain. the committee of next governors proportionally representing
The attacker can then exploit this fork to have its transaction the current governor votes.
discarded by the system and then re-spend the assets he To this end, we propose the Byzantine Fault Tolerant Single
supposedly transferred in what is called a double spending. Transferrable Vote (BFT-STV) smart contract that solves the
Our reconfiguration protocol mitigates such a bribery attack in proportional governance problem (Def. 1).
the presence of a slowly-adaptive adversary by re-electing n
new governors from m candidates that execute the consensus A. Overview
protocol every x blocks. This is how we mitigate the risk of In order to guarantee that the election solves the proportional
n
3 of the current governors getting bribed that can form an governance problem (Def. 1), we designed the BFT-STV
oligarchy. More specifically, due to the assumption of a slowly algorithm and implemented it as a smart contract. In this
adaptive adversary that bribes/corrupts at most fc candidate section, we present the high level pseudo code of the BFT-STV
nodes s.t. fc < m/4, a governance committee k periodically algorithm. To bootstrap, the initial permissions to vote are
elected proportionally from a diverse set m will have f < n/3 obtained by n initial governors after identification using KYC
with high probability (A reasonable assumption made in prior to ensure diversity and prevent Sybil attacks (§III-D2). Recall
work given that m >> k). Within the governance committee that governors cannot use the classic STV algorithm to elect a
period this f will remain static as the slowly-adaptive adversary new committee as the smart contract has to progress despite
can only corrupt nodes between reconfigurations. up to t < n/3 Byzantine voters not casting proper ballots
2) Sybil attacks: A Sybil attack consists of impersonating and as the upper-bound on the message delay is unpredictable.
multiple identities to overwhelm the system—in the context of As depicted in Figure 2, the BFT-STV smart contract takes,
votes, a Sybil attack could result in an adversary voting with instead, as an input n − t ballots cast by the voters that are
multiple identities to alter the outcome of an election. Proof-of- governors. Each ballot consists of a rank of all the candidates,
stake based voting approaches weigh a ballot cast by a voter hence the name ordinal ballot. Once the threshold n − t of cast
based on the coins they have staked. Thus, minimizing the ballots is reached, the BFT-STV contract selects the governors
impact on the election outcome if an adversary splits their stake based on the preference order indicated in the n − t ballots.
among multiple identities and cast ballots. We adopt a solution Traditionally, the STV algorithm consists of counting which
that consists of providing authenticating information, in the candidates received a number of votes that exceed the quota
n
form of know-your-customer (KYC) data, in exchange for the qD = k+1 where k is the size of the governance committee
permission to vote for governors, or be a governor candidate. to be elected. However, as there can be at most t Byzantine
This authentication copes with Sybil attacks by preventing the nodes among the voters, we introduce the Byzantine quota

5
 n−t 45: Initial state:
qB = k+1 (denoted q when clear from the context). We will
46: k, the size of the targeted committee.
explain how the blockchain replaces the current governors by 47: n, the number of voters.
the newly elected committee of governors in Section §V. 48: t, an upper bound on the number f of byzantine replicas, f ≤ t.
n−t
49: qB = k+1 , the quota of votes to elect a candidate.
1: Initial state: 50: C ⊆ I, the set of candidates.
2: k, the size of the targeted committee. 51: E ⊆ C, the set of eliminated candidates, initially empty.
3: n, the number of voters. 52: S ⊆ C, the set of winning candidates, initially empty.
4: t, an upper bound on the number f of byzantine replicas, f ≤ t. 53: X ⊆ C, the set of excess candidates, initially empty.
5: m, the number of candidates per ballot.
6: v, a mapping from candidates to their number of votes. 54: STVB (v, ballots, pref ):
7: ballots, the set of received ordinal ballots, initially empty 55: if ∃c | v[c] > qB then ▷ if the quota is exceeded
8: C ⊆ I, the set of candidates. 56: S ← S ∪ {c} ▷ elect candidate
9: E ⊆ C the set of eliminated candidates, initially empty. 57: X ← X ∪ {c} ▷ save candidates that exceed quota in X
10: S ⊆ C the set of winning candidates, initially empty. 58: x [c] ← v[c] − qB ▷ excess vote from candidate c
11: pref [ballot] = index a map of ballot and its current preference index. 59: for all b ∈ ballots do ▷ for each ballot
12: voted[vAddr ] = f alse a map of voter addresses and whether voted. 60: if b[pref [b]] = c and c ∈ X then ▷ if current ballot pref = one of X
13: privateVotes[vAddr ] = hashVote a map of voter addr. and priv. 61: count[c] ← count[c] + 1 ▷ the number of candidates c
vote (ballot). 62: pref-next[b] ← pref [b] + 1 ▷ point to next preferred candidate
14: countprivate no. of private votes. 63: while b[pref-next[b]] ∈ (S ∨ E) do ▷ while not uneligible
15: Sender [vAddr ] = b a map of voter addr. and ballot. 64: pref-next[b] ← pref-next[b] + 1 ▷ try next pref. pointer
65: if b[pref-next[b]] ̸∈ (S ∪ E) then ▷ if eligible candidate found
16: commitVote(hashVote): 66: pref [b] = pref-next[b] ▷ move the preference pointer
17: if voted[vAddr ] == false then ▷ prevents double voting 67: z ← b[pref-next[b]] ▷ next preferred candidate in ballot
18: privateVotes[vAddr ] ← hashVote ▷ store priv. votes for voters 68: cand-next ← cand-next ∪ {⟨c, z⟩}▷ current&next candidates
19: countprivate ← countprivate + 1 ▷ no. priv. votes received 69: count[z ] ← count[z ] + 1 ▷ The number of candidates z
20: voted[vAddr ] ← true ▷ vAddr has voted 70: for all unique ⟨c, z⟩ ∈ cand-next do ▷ transfer excess votes
21: if countprivate == n-t then 71: v [z ] ← v [z ] + x [c] · (count[z]/count[c]) ▷ to next candidates
22: votingEnded ← true 72: if ∀c : v[c] ≤ qB then ▷ if no candidates exceed the quota in the round
23: emit "threshold of votes reached" ▷ notify all priv. votes are received 73: E ← (E ∪ t | t = min∀c (v[c])) ▷ eliminate candidate with least votes
74: transfer-vote ← v[t]
24: reveal(b, h): 75: v[t] ← 0 ▷ reset votes of least candidate to 0
25: if votingEnded == true then ▷ voters reveal votes if election ended 76: for all b ∈ ballots do
26: if hash(b) == h & privateVotes[vAddr ] == h then ▷ hashes eq. 77: while s < size do
27: if well-formed(b) then ballots ← ballots ∪ {b} 78: if b[s] = t then ▷ store ballot and preference index...
28: if (ballots has n − t ballots from distinct voters revealed) then 79: elimpointer ← elimpointer ∪ (b, s) ▷ ...of least voted cand.
29: change-committee(ballots) ▷ replace committee 80: s←s+1 ▷ Increment preference
81: for all (b, s) ∈ elimpointer do
30: change-committee(ballots): ▷ replace committee 82: if b[s] = m ∧ m ∈ E then ▷ If preference s of ballot b is eliminated
31: for all b ∈ ballots do ▷ for each received ballot 83: pref-next[b] ← s + 1
32: if (b[0] = c such that c ∈ C) then 84: count[m] ← count[m] + 1 ▷ count of candidates m in all ballots
33: v [c] ← v [c] + 1 ▷ # 1st pref = c 85: while b[pref-next[b]] ∈ (S ∨ E) do ▷ until candidate is found
34: pref [b] ← 0 ▷ assign pref. index of b to the first preference/index 0 86: pref-next[b] ← pref-next[b] + 1 ▷ ...increment pref. pointer
35: round ← 0 ▷ first round 87: if b[pref-next[b]] ̸∈ S ∪ E then
36: while (|S| < k) do ▷ until the new committee is full 88: pref [b] ← pref-next[b] ▷ move the preference pointer
37: S ← STVB (v, ballots, pref ) ▷ invoke classic STV 89: z ← b[pref-next[b]]
38: round ← round + 1 ▷ increment round number 90: cand-next ← cand-next ∪ (m, z) ▷ least voted & next cand.
39: if (|C| − |E| = k) then break ▷ stop eliminating 91: count[z ] ← count[z ] + 1 ▷ the number of candidates z
40: for all b ∈ ballots do ▷ for each ballot 92: for all unique (m, z) ∈ cand-next do ▷ transfer from least voted cand.
41: for (j = 0; j < m; j++) do ▷ each candidate in decreasing pref. order 93: v [z ] ← v [z ] + transfer-vote · (count[z ]/count[m])
42: if (|S | < k ∧ b[j] ∈ C \ S \ E) then ▷ if eligible 94: X ← null
43: S ← S ∪ {c} ▷ select c 95: return S ▷ return the set of winning candidates
44: emit S ▷ explicitly emit committee
Algorithm 2: Threshold Single Transferable Vote (Threshold-
Algorithm 1: Threshold Single Transferable Vote (Threshold- STV) - Part 2
STV) - Part 1

B. Byzantine Fault Tolerant Single Transferrable Vote
Alg. 1 presents the main functions of the BFT-STV smart
contract that the governors can invoke whereas Alg. 2 is
the classic STV algorithm adapted to progress in a partially
synchronous [36] environment and despite the presence of up
to t Byzantine voters, hence its name STVB .
a) Commit votes: Initially, the governors cast their hashed
ballots by invoking the function commitVote(·) at line 16 of
Alg. 1. This prevents the ballot content of each voter from being
known to other voters until the election counting begins. This
is to mitigate strategic voting. Once governors cast n−t private
votes in the form of ballot hashes, the BFT-STV smart contract
emits a broadcast notifying governors that their respective
ballots can be revealed to commence counting votes (lines 21-
23).
b) Reveal votes: Governors/voters upon receiving the
broadcast in line 23, invoke the reveal(·) function parsing the
plain ballot b and the hash of this ballot h (line 24). If (1) hash
of b equals h and (2) h equals the hash of the ballot previously
stored in the commit phase for the same voter, then the validity
of the ballot b is checked. Upon successful validation, the
ballot b is added to the list of ballot ballots (lines 26-27). Note

6
that verifying the validity of a ballot involves checking that the can elect k/N governors to the committee such that the total
governors have not voted for themselves on their ballots and elected governors is k in the end.
there are no duplicated preferences. Once the smart contract From a voting theory perspective, this sharding approach
receives n − t well-formed ballots the change-committee(·) is exactly the same as dividing the seats in a main legislative
function is invoked (line 29). body into electoral districts such that voters living in a specific
c) Count votes: The change-committee function starts by electoral district only cast ballots for candidates from the same
computing the score of the valid candidates as the number of district. Thus, providing better representation in the legislative
votes they receive at lines 31–33. Valid candidates are initially body for populations in each electoral district.
selected through KYC (§III-D2) before being periodically voted From a computer science perspective, sharding the BFT-
upon by governors to be elected as the next set of governors. A STV elections as mentioned above makes the ordinal ballot
preference pointer is initialized to the first preference of each sizes smaller as a voter only orders preferred candidates in
ballot at line 34. Then a new round of the STV election process their own group. This decrease in ballot sizes reduces CPU
starts (lines 35–38). This execution stops once the committee and memory usage of the blockchain node during BFT-STV
of new governors is elected (line 36). If before the targeted contract execution helping us achieve election outcomes fast
committee is elected, the number of eliminated candidates has without losing ballots cast by voters. With this election sharding
reached a maximum and no more candidates can be eliminated approach (§VI), we see that the BFT-STV smart contract can
to achieve the target committee size, then the STV election elect 200 governors from 500 candidates within 6-12 minutes
stops (line 39). The remaining non-eliminated candidates are when 1000 voters cast ballots. Thus, our approach is faster
elected by decreasing order of preferences at lines 40–43 until than many committee election methods [3], [47], [8].
the target committee size is reached. Finally, the smart contract
emits the committee of elected candidates (line 44), which E. Proofs of proportional governance
notifies the replicas of the election outcome. In this section, we show that BFT-STV (Alg. 1 and 2) solves
C. Classic STV with the Byzantine quota the proportional governance problem (Def. 1). To this end,
the first theorem shows that the BFT-STV protocol ensures
Alg. 2 presents the classic STV algorithm but using the Proportionality. As mentioned in §III-B, recall that n, m
new Byzantine quota qB by electing candidates whose number and k denote the number of voting governors, the number
of votes exceed qB (line 55). This algorithm executes two of candidates and the targeted committee size, respectively.
subsequent phases: in the first phase (lines 54–71) the algorithm Note that the proof holds even if Byzantine voters vote in the
elects the candidates whose number of votes exceeds the quota worst possible way.
n−t
qB = k+1 ; in the second phase (lines 72–94), the algorithm
eliminates the least preferred candidate if no candidates Theorem 1. The BFT-STV multi-winner election protocol
received a number of votes that exceeds the quota. In each satisfies Proportionality.
round of STV function call (line 37), when a candidate exceeds
Proof. By examination of the code of Alg. 1 and 2, the only
the quota (line 55), their excess votes are transferred to the next
difference between BFT-STV and STV is the number of votes
eligible preferences of the ballots that contain the candidate
needed to elect a candidate. STV typically starts with n received
(line 71). In each round of ballot iteration, if no candidate
ballots whereas the BFT-STV starts the election as soon as
has reached the quota, the candidate with the least vote(s)
(n − t) ballots are received (line 28 of Alg. 1), where t is the
is eliminated (line 73). This candidates’ excess votes are
upper bound on the number f of Byzantine nodes and n is the
transferred to the next eligible preference of the ballots that
total number of governors eligible to vote. This number of BFT-
contain the candidate that received the least votes (line 93). The
STV ballots is distributed among a larger number of candidates
elimination of candidates stops when no more candidates can
m. This can result in less than k candidates receiving enough
be eliminated to achieve the committee size (line 39). At this
votes to reach the classic STV quota where k is the size of the
point, even though the remaining candidates did not receive
committee. By the Proportionality definition (Def.§III-B), we
enough votes to reach the quota, they are elected as part of
need to show that if j · (n − t)/(k + 1) voters put the same s
the committee (line 43).
candidates as the top s candidates in their ballot preference,
D. Election sharding then j of those s candidates will still be elected. The proof
follows from [48, p. 48–49]: line 73 of Alg. 2 indicates that by
As many modern blockchains cannot handle demanding
elimination, and lines 40-43 of Alg. 1 indicates by electing the
smart contract workloads [46], executing the NP-hard BFT-STV
remaining non eliminated candidates in decreasing preference
algorithm on a smart contract with many voters and candidates
order, we elect the required k seats if k candidates cannot
is a challenging task. To tackle this challenge, when the number
reach the qB quota. Thus, we still elect the top j candidates
of voters n and candidates m are large, we shard the BFT-
such that j = s = k, satisfying proportionality.
STV algorithm into smaller sub-elections. More specifically,
our election sharding approach groups voters and candidates The next theorem shows that the BFT-STV protocol ensures
into N groups of equal size. Thus, a voter can only vote for Non-dictatorship as defined in Def. 1.
candidates in their group. If there are N groups, each group

7
Theorem 2. The BFT-STV multi-winner election protocol 1: initial:
2: A is a set of IP addresses.
satisfies Non-dicatorship. 3: BC is a set of blockchains s.t. Blockchain[start : end] ∈ BC.
4: Elected: a set s.t. S ∈ Elected.
Proof. The proof shows the existence of an input of correct 5: count: a map between a governor sets received and its occurrences.
nodes for which a single adversary controlling f Byzantine 6: Bcount: a map between a block and its occurrences in received prefixes.
nodes cannot have its preference ba be the winning committee. 7: S: newly elected governor committee
8: S0 : current governor committee
Let ba [−1] be the least preferred candidate of the adversary, 9:
we show that there exist preferences b1 , ..., bn−f from correct 10: upon receiving S, Blockchain[start : end] from a governor in S0 :
nodes such that the winning committee includes ba [−1]. The ▷ recv. sc emits event from Alg.1, line 44 and bc prefix
11: if g ∈ S0 & received[g] == false then ▷ prevents duplicate broadcast
result then follows from the assumption k < m. 12: Elected ← Elected ∪ S
By examination of the pseudocode, the winning committee 13: BC ← BC ∪ Blockchain[start : end]
is created only after receiving n − t correctly formatted ballots 14: for all S ∈ Elected do
(line 28 of Alg. 1). By assumption, there can only be at most 15: count ← count[S] + 1
16: if count[S] = n − t then
f ≤ t < n/3 ballots cast by Byzantine nodes. As a result, 17: threshold ← S ▷ received same S from n − t
among all the n − t received ballots, there are at least n − 2t > 18: if threshold == S then
n/3 ballots cast from correct nodes. In any execution, an 19: for all bc ∈ BC do
20: for all B ∈ bc do
adversary controlling all the Byzantine nodes could have at 21: Bcount[B] ← Bcount[B] + 1 ▷ no. of block B in recv. prefix
most f ballots as the adversary cannot control the ballot cast by 22: if Bcount[B] == n − t & B.index > highestIndex then
correct nodes. Let b1 , ..., bn−f be the ballots input by correct ▷ B is in n − t gov. chains
23: highestIndex ← B.index
nodes to the protocol such that their first preference is the 24: Bdecided ← B ▷ decided block so far
least preferred candidate of the adversary, i.e., ∀i ∈ {1, n − t} : 25: for all ip ∈ S do ▷ for IPs in committee
bi = ba [−1]. Because f ≤ t < n/3, we know that ba [−1] 26: A ← A ∪ {ip} ▷ add the IP address
will gain more votes than any of the other candidates, and 27: close-connect ▷ stop connections with current governors
28: connect(A) ▷ connect with elected governors in A
will thus be the first to be elected (line 55 of Alg. 2). By 29: if my-ip ∈ S then ▷ if I’m an elected governor
assumption, we have k < m, which means that there is a 30: init(Bdecided ) ▷ init. governor with Bdecided and its state.
candidate the adversary prefers over ba [−1] that will not be 31: threshold ← N U LL ▷ reset variables
part of the winning committee. Hence, this shows the existence 32: Bcount ← N U LL
33: count ← N U LL
of an execution where despite having an adversary controlling
f Byzantine nodes, the adversary preference is not in the Algorithm 3: Governance reconfiguration at a blockchain node
winning governance committee.
of Alg. 3). Next, every blockchain prefix Blockchain[start :
V. AUTOMATIC G OVERNANCE R ECONFIGURATION
end] received from a governor g : g ∈ S0 is stored in BC
In this section we present our governance reconfiguration (line 13 of Alg. 3). The blockchain prefix contains a chain of
protocol to mitigate bribery attacks that could form an oligarchy blocks where the start index start is the first block decided in
among governors. Subsequently, we prove that our reconfig- the blockchain of governor g when in S0 while the end index
uration protocol solves the governance reconfiguration safety end is the last block decided in the blockchain of g when S
(Def. 2). was emitted by g.
Offering proportionality and non-dictatorship is not sufficient Once a governor broadcasted event S is received n − t
to cope with an adaptive adversary. In order to mitigate times (i.e., same S received n − t times) from n − t unique
bribery attacks, we now propose a governance reconfiguration governors (line 17 of Alg. 3), that means at least n − 2t of
that complements the BFT-STV algorithm. The subsequent the received S were from correct governors in the committee.
governance reconfiguration protocol assumes that all blockchain Since f ≤ t < n/3, S is the correct governor committee
nodes in a network has the BFT-STV smart contract deployed elected. When this condition is met, Alg. 3 executing on every
at bootstrap time. blockchain node finds the block with the highest index decided
Alg. 3 allows switching from the current governance com- by n − t unique governors g : g ∈ S0 using the blockchain
mittee S0 to the new governance committee S elected with prefixes received (lines 19-24 of Alg. 3).
the BFT-STV smart contract (§IV) . Note once a governor Subsequently, the reconfiguration protocol closes the existing
g : g ∈ S0 emits S (line 44 of Alg. 1), they immediately stop network connection with the previous governor committee
processing any further blocks. (line 27 of Alg. 3). Then, every blockchain node connects with
Once a blockchain node (i.e., candidate, governor, client) the new governor committee (line 28 of Alg. 3). Finally, if the
receives from governor g : g ∈ S0 newly elected governors S blockchain node is also a governor elected in S, these governors
and a blockchain prefix (line 10 of Alg. 3), the reconfiguration initialize themselves with Bdecided which is the highest index
protocol commences. Note that duplicate broadcasts received block decided by n − t governors from committee S0 .
by the same governor are not considered. First, every received For sake of simplicity, we consider that nodes connect to
S from a governor g : g ∈ S0 is added to Elected. Thus, the IP addresses of the new governors. The implementation
Elected stores all received S from current governors (line 12 could be easily adjusted so that nodes connect to a specific

8
node ID that uniquely identifies a node. Since every blockchain
node connects with the newly elected governor committee, (1)
clients can send requests to the new governor committee (2)
governors can reach consensus on governance decisions and
(3) governors can elect the next set of governors.
Theorem 3. The governance reconfiguration (Alg. 3) satisfies
the Governance Reconfiguration Safety property.
Proof. By examination of Alg. 3 from the blockchain prefixes
received from n − t governors that sent S, each correct
blockchain node finds the common block with the highest
index Bdecided of all n − t prefixes. This block is the highest Fig. 3. The execution time of BFT-STV in SRBB as we vary the number of
confirmed/decided block by the governance committee S0 candidates (with 150 voters) and as we vary the number of voters (with 50
(lines 19-24 of Alg. 3). If a correct local blockchain node candidates)
is elected to the new governance committee S, then this node
faster blockchain (i.e., SRBB [27]). In contrast, Polkadot [3]
initializes with Bdecided (line 30 of Alg. 3). Every newly
and Tron [47] elects a committee of governors in 24 hours
elected correct governor node in S initializes with the same
and 6 hours respectively. EoS elects a committee of governors
Bdecided . Thus, the first block locally stored after governance
in 63 seconds [50] but elects only a small committee of 21
reconfiguration by any two correct governor nodes is equal
validators.
satisfying our safety property.
Blockchain #voters #ballots #candidates #governors time (seconds)
VI. E VALUATION OF B YZANTINE FAULT T OLERANT Ethereum PoA 1000 1000 500 200 728
P ROPORTIONAL G OVERNANCE SRBB 1000 1000 500 200 358

A. World-scale evaluation TABLE II

BFT-STV: T HE TIME IN SECONDS FOR 200 GEO - DISTRIBUTED NODES OF
We evaluate our Byzantine Fault Tolerant Proportional E THEREUM P OA AND SRBB REPRESENTING 1000 VOTERS ( CURRENT
Governance protocol on a world-scale to observe its feasibility. GOVERNORS ) TO ELECT 200 NEW GOVERNORS FROM 500 CANDIDATES .
To this end, we integrated our solution to Ethereum PoA and
Smart Redbelly Blockchain (SRBB) [27] which are two smart
contract supporting blockchains on the slower and faster end B. Micro-benchmarking the BFT-STV smart contract
of the blockchain spectrum. We used the Diablo blockchain In Figure 3 we present the performance of the BFT-STV
benchmarking suite [46] that evaluates blockchains against smart contract with varying numbers of voters/governors and
pre-specified workloads. Our pre-specified workload consisted candidates. More specifically, Figure 3 presents the average
of 1000 voters (i.e., current governors) casting random ordinal BFT-STV smart contract execution time in seconds on a single
ballots to 500 candidates to elect a committee of 200 governors SRBB [27] node over 3 runs for different numbers n and m
using our BFT-STV smart contract. We employed 200 AWS of voters and candidates, respectively.
c5.2xlarge EC2 instances of Ethereum PoA and SRBB [27], In Figure 3, the top curve varies the number m of candidates
spanning 10 AWS regions and 5 continents. Each AWS instance whereas the bottom curve varies the number n of voters. More
represented 5 governors of the respective blockchain realising specifically, we varied the number n of voters and the number
a total of 1000 governors (i.e., 200 × 5), a restriction we placed m of candidates from 50 to 150 to elect a committee of k =
due to budgetary constraints. Finally, we used a transaction m/2 validators. Therefore, while we fixed m = 50 and varied
sending rate of 1000 TPS, and considered the number of n, we had to fix n = 150 to vary m up to 150. Varying m
Byzantine voters as t=333 (t < n/3). also allowed us to elect a varying committee of size k = m/2,
Table II depicts the time taken in seconds for the BFT- showing the ability of BFT-STV to elect committees of dynamic
STV smart contract to elect a committee of 200 governors size. We generated a random ordinal/ranked ballot for each
when 1000 voters (i.e., current governors) cast random ordinal voter in this benchmark. As our goal was to purely observe the
ballots to 500 candidates on Ethereum PoA and SRBB. BFT-STV smart contract execution, we only used a single node
Ethereum PoA takes 728 seconds (i.e., 12 minutes) to elect for this particular benchmark to avoid the execution times being
a committee of 200 governors while SRBB [27] which was distorted with the consensus times. We also considered t < n/3
recently found to yield better performance compared to modern (i.e., the number of Byzantine voters). The observations from
blockchains like Algorand [7], Solana [25], and Avalanche [49], Figure 3 are as follows:
elected a committee of 200 governors within 358 seconds (i.e., 1) First, we observe that the number of candidates m impacts
5.96 minutes). the performance significantly with n = 150 voters, which
Based on Table II, the BFT-STV algorithm executed on confirms our expectation. However, we also observe that
a smart contract was able to elect a committee of governors the raise decreases as m exceeds 100. We conjecture that
within 12 minutes in one of the slowest smart contract supported this is due to the way the Ethereum Virtual Machine [24]
blockchains (i.e., Ethereum) and within half that time in a in EVM-based blockchains garbage collects and alternates

9
 between CPU resource usage for transaction execution B. Proof-of-work blockchain governance
and I/O usage to persist the information.
Zilliqa [18] requires a candidate to solve a PoW puzzle
2) Second, we observe that when the number of voters
and produce a reconfiguration block to join a committee of
increases with m = 50, the execution time increases
governors. Thus, the election of the governance committee
sub-linearly: it doubles while the number of voters triples.
favors powerful nodes capable of solving the PoW puzzle fast.
This is because increasing the number n of voters helps
Such PoW blockchain governance mechanisms can lead to an
candidates reach the quota qB of votes rapidly without
oligarchy in the governance where the oligarchy consists of
transferring the vote excess. Hence, the committee is
governors with the highest computation power.
elected faster than expected and raises the execution time
only slightly.
C. BFT blockchain governance
VII. R ELATED W ORK The vast majority of Byzantine fault tolerant (BFT)
blockchains assume that the list of governors is selected
In this section, we present the work related to blockchain by an external service. As a result, no proportionality is
governance. Table I, provides a summary of such blockchains. offered. ComChain [20] lists the public keys of governors
For the sake of brevity, we omit the discussion of blockchains in configuration blocks but assumes that the new lists of
that assume synchrony [51], [24], [40], [49], [19], [15], [52]. governors are proposed by an external service. Similarly,
Tendermint/Cosmos [55] lists the public keys of governors in
A. Proof-of-stake blockchain governance blocks but associates a voting power to each validator based on
its stake, hence risking the same bribery attacks as other proof-
Algorand [7] assumes a slowly adaptive adversary to mitigate
of-stake blockchains (§VII-A). SmartChain [22] also stores the
bribery like we do (§III-D). Algorand offers governance through
committee public keys in dedicated reconfiguration blocks but
sortition, the act of electing governors randomly among a set
simply grants governor credentials to every requesting node,
of candidates. To mitigate bribery attacks, Algorand replaces
without requiring an election. Libra [21] mentions a similar
governors at each step of the consensus protocol within a
reconfiguration service but no details are provided regarding
consensus round. The key advantage of the sortition is its non-
the selection of governors or whether this selection offers
interactive cryptographic technique that prevents adversaries
proportionality. As far as we know other BFT blockchains have
from predicting future governors. However, Algorand does
a static set of governors, which makes them more vulnerable
not aim at offering proportionality as it does not execute
to bribery attacks and the formation of an oligarchy, including
a proportional election to select governors. The PoS based
Stellar [56], SBFT [57], Concord [58] and Quorum [26].
sortition used in Algorand can lead to an oligarchy among
governors as nodes with more stake have more probability of
being elected as governors. VIII. C ONCLUSION
Polkadot [23] rotates its governors every era, a period that We presented proportional governance reconfiguration to
lasts about one day, with a multi-winner election. Unlike our mitigate the formation of an oligarchy of governors in
solution that employs KYC, Polkadot exploits a nominated blockchain governance committees. Proportional governance
proof-of-stake (NPOS). In NPOS, the chances of being elected reconfiguration is the first solution that embeds the following
as a governor is proportional to the stake a candidate possesses. two contributions: (1) preventing an oligarchy among governors
Thus, despite using a multi-winner election, Polkadot favors using proportionality (Def. 1) and automatic governance
the wealthiest, leaving the potential for an oligarchy to be reconfiguration, and (2) providing compatibility with a wide
formed within the governance. range of smart contract supported blockchains [26], [7], [59].
EOS [9] runs a delegated multi-winner approval voting We proved the proportional governance reconfiguration ensures
system to elect 21 governors. As opposed to BFT-STV (§IV), proportionality and non-dictatorship (Def. 1) and implemented
EOS exploits delegated proof-of-stake (DPOS) where token proportional governance on Ethereum-PoA and Smart Redbelly
holders elect governors by casting a vote with a weight Blockchain [27] which are two smart contract supporting
proportional to the token holder’s stake. Thus, EOS [9] also blockchains. Our evaluation showed that our proportional
favors the wealthiest to be elected as governors leaving the governance solution implemented as BFT-STV on a smart
potential for an oligarchy to be formed among the governors. contract (Alg. 1) can elect 200 governors within 6-12 minutes
In summary, the aforementioned solutions do not offer when 1000 voters cast ordinal ballots to 500 candidates.
proportionality as each vote is based on the wealth or assets the
corresponding voter owns: the more they own the higher weight ACKNOWLEDGEMENTS
their vote gets. Given the Pareto Principle [53] stating that few
users typically own most of the resources (as an example in This work is supported in part by the Australian Research
2021, the wealthiest 1% of US citizens owned about 1/3 of the Council Future Fellowship funding scheme (#180100496)
total wealth [54]), these approaches have the risk of forming entitled “The Red Belly Blockchain: A Scalable Blockchain
an oligarchy of governors. for Internet of Things” and the Ethereum Foundation.

10
 R EFERENCES
[1] F. Michelle, Blockchain Governance. Cambridge University Press, 2018,
pp. 182–209.
[2] V. Zamfir, “Blockchain governance,” in Ethereum Community Confer-
ence, 2019, accessed: 2021-05-28, https://www.youtube.com/watch?v=
PKyk5DnmW50.
[3] J. Burdges, A. Cevallos, P. Czaban, R. Habermeier, S. Hosseini, F. Lama,
H. K. Alper, X. Luo, F. Shirazi, A. Stewart, and G. Wood, “Overview of
polkadot and its design considerations,” arXiv, Tech. Rep. 2005.13456,
2020.
[4] “Block producers ranking - real time statistics,” accessed: 2020-11-14,
https://eosauthority.com/producers_rank.
[5] L. Kiffer, D. Levin, and A. Mislove, “Stick a fork in it: Analyzing the
ethereum network partition,” in Proceedings of the 16th ACM Workshop
on Hot Topics in Networks, 2017, pp. 94–100.
[6] N. Webb, “A fork in the blockchain: Income tax and the bitcoin/bitcoin
cash hard fork,” North Carolina Journal of Law & Technology, vol. 19,
no. 4, 2018.
[7] Y. Gilad, R. Hemo, S. Micali, G. Vlachos, and N. Zeldovich, “Algorand:
Scaling Byzantine agreements for cryptocurrencies,” in Proc. 26th Symp.
Operating Syst. Principles, 2017, pp. 51–68.
[8] “The eth2 upgrades,” accessed: 2020-11-14, https://ethereum.org/en/eth2/.
[9] “EOS.IO technical white paper v2,” accessed: 2020-12-
07, https://github.com/EOSIO/Documentation/blob/master/
TechnicalWhitePaper.md#consensus-algorithm-bft-dpos.
[10] R. Dixon, “Fair criteria and procedures for establishing legislative
districts,” Policy Studies Journal, vol. 9, no. 6, p. 839, 1981.
[11] N. Tideman, “The single transferable vote,” Journal of Economic
Perspectives, vol. 9, no. 1, pp. 27–38, March 1995.
[12] “Proportional representation voting systems of australia’s parliaments,”
2021, accessed:2021/06/04 –https://www.ecanz.gov.au/electoral-systems/
proportional.
[13] R. Guerraoui and A. Schiper, “Fault-tolerance by replication in distributed
systems,” in International conference on reliable software technologies.
Springer, 1996, pp. 38–57.
[14] M. C. Pease, R. E. Shostak, and L. Lamport, “Reaching agreement in
the presence of faults,” J. ACM, vol. 27, no. 2, pp. 228–234, 1980.
[15] M. Zamani, M. Movahedi, and M. Raykova, “Rapidchain: Scaling
blockchain via full sharding,” in Proceedings of the 2018 ACM SIGSAC
Conference on Computer and Communications Security, ser. CCS ’18.
New York, NY, USA: Association for Computing Machinery, 2018, p.
931–948. [Online]. Available: https://doi.org/10.1145/3243734.3243853
[16] K. J., “Tendermint: Consensus without mining,” 2014.
[17] R. Pass and E. Shi, “Hybrid consensus: Efficient consensus in the
permissionless model,” in 31st International Symposium on Distributed
Computing (DISC 2017). Schloss Dagstuhl-Leibniz-Zentrum fuer
Informatik, 2017.
[18] “The zilliqa technical whitepaper,” https://docs.zilliqa.com/whitepaper.pdf.
[Online]. Available: https://docs.zilliqa.com/whitepaper.pdf
[19] E. Kokoris-Kogias, P. Jovanovic, L. Gasser, N. Gailly, E. Syta, and
B. Ford, “Omniledger: A secure, scale-out, decentralized ledger via
sharding,” in IEEE Symposium on Security and Privacy (S&P), 2018,
pp. 583–598.
[20] G. Vizier and V. Gramoli, “Comchain: A blockchain with Byzantine
fault tolerant reconfiguration,” Concurrency and Computation, Practice
and Experience, vol. 32, no. 12, Oct 2019.
[21] S. Bano, M. Baudet, A. Ching, A. Chursin, G. Danezis, F. Garillot,
Z. Li, D. Malkhi, O. Naor, D. Perelman, and A. Sonnino, “State
machine replication in the libra blockchain,” 2019, accessed: 2019-10-
01, https://developers.libra.org/docs/assets/papers/libra-consensus-state-
machine-replication-in-the-libra-blockchain.pdf.
[22] A. Bessani, E. Alchieri, J. Sousa, A. Oliveira, and F. Pedone, “From
byzantine replication to blockchain: Consensus is only the beginning,” in
50th Annual IEEE/IFIP International Conference on Dependable Systems
and Networks, 2020, pp. 424–436.
[23] A. Cevallos and A. Stewart, “A verifiably secure and proportional
committee election rule,” arXiv e-prints, pp. arXiv–2004, 2020.
[24] G. Wood, “Ethereum: A secure decentralised generalised transaction
ledger,” 2015, yellow paper.
[25] A. Yakovenko, “Solana: A new architecture for a high performance
blockchain v0. 8.13,” Whitepaper, 2018.
11
[26] J. Chase, “Quorum whitepaper,” accessed: 2020-12-04,
https://github.com/ConsenSys/quorum/blob/master/docs/Quorum%
20Whitepaper%20v0.2.pdf.
[27] D. Tennakoon, Y. Hua, and V. Gramoli, “Smart Redbelly Blockchain:
Reducing congestion for Web3,” in Proceedings of the 37th IEEE
International Parallel & Distributed Processing Symposium (IPDPS),
2023.
[28] F. T. Lui, “An equilibrium queuing model of bribery,” Journal of Political
Economy, 1985.
[29] J. Bonneau, “Why buy when you can rent? Bribery attacks on Bitcoin-
style consensus,” in Financial Cryptography and Data Security Work-
shops, 2016, pp. 19–26.
[30] L. Luu, V. Narayanan, C. Zheng, K. Baweja, S. Gilbert, and P. Saxena,
“A secure sharding protocol for open blockchains,” in CCS, 2016.
[31] D. Black, The Theory of Committees and Elections. Cambridge
University Press, 1958.
[32] M. Dummett, Voting Procedures. Oxford University Press, 1984.
[33] J. L. . I. D. Hill, “To advance the understanding of preferential voting
system - notes on the droop quota,” Voting matters, 2007.
[34] D. Woodall, “Properties of preferential election rules,” in Voting Matters,
1994, accessed: 04/05/2021, https://www.votingmatters.org.uk/ISSUE3/
P5.HTM.
[35] P. Faliszewski, P. Skowron, A. Slinko, and N. Talmon, Multiwinner
Voting: A NewChallenge for Social Choice Theory. Lulu.com, 2017.
[36] C. Dwork, N. Lynch, and L. Stockmeyer, “Consensus in the presence of
partial synchrony,” J. ACM, vol. 35, no. 2, pp. pp.288–323, 1988.
[37] K. J. Arrow, “A difficulty in the concept of social welfare,” Journal of
Political Economy, vol. 58, no. 4, pp. 328–346, 1950.
[38] A. S. Tanenbaum and M. van Steen, Distributed systems - principles
and paradigms, 2nd Edition. Pearson Education, 2007.
[39] L. Lamport, R. Shostak, and M. Pease, “The Byzantine generals problem,”
ACM Trans. Program. Lang. Syst., vol. 4, no. 3, pp. 382–401, Jul. 1982.
[40] I. Abraham, D. Malkhi, K. Nayak, L. Ren, and A. Spiegelman, “Solida:
A blockchain protocol based on reconfigurable byzantine consensus,”
in 21st International Conference on Principles of Distributed Systems,
2017, pp. 25:1–25:19.
[41] E. Elkind, P. Faliszewski, P. Skowron, and A. Slinko, “Properties of
multiwinner voting rules,” Social Choice and Welfare, vol. 48, no. 3, pp.
599–632, 2017.
[42] J. A. Garay, A. Kiayias, and N. Leonardos, “The bitcoin backbone
protocol: Analysis and applications,” in 34th Annu. Int. Conf. the Theory
and Applications of Crypto. Techniques, 2015, pp. 281–310.
[43] B. Y. Chan and E. Shi, “Streamlet: Textbook streamlined blockchains,”
in Proceedings of the 2nd ACM Conference on Advances in Financial
Technologies, 2020, pp. 1–11.
[44] poa.network, “Poa validator dapp,” 2022, accessed: 2022-22-04 - https:
//validators.poa.network/poa-dapps-validators.
[45] T. Crain, C. Natoli, and V. Gramoli, “Red belly: a secure, fair and scalable
open blockchain,” in IEEE Symposium on Security and Privacy (S&P),
May 2021, pp. 1501–1518. [Online]. Available: https://www.computer.
org/csdl/pds/api/csdl/proceedings/download-article/1t0x9nljvwI/pdf
[46] V. Gramoli, R. Guerraoui, A. Lebedev, C. Natoli, and G. Voron, “Diablo:
A benchmark suite for blockchains,” To appear in 18th European
Conference on Computer Systems (EuroSys), 2023. [Online]. Available:
https://gramoli.github.io/pubs/Eurosys23-Diablo.pdf
[47] D. Staff, “Tron governance: How to vote using trx,” accessed:2022-10-14,
https://decrypt.co/resources/tron-governance-how-to-vote-using-trx.
[48] S. Janson, “Thresholds quantifying proportionality criteria for election
methods,” arXiv preprint arXiv:1810.06377, 2018.
[49] T. Rocket, “Snowflake to avalanche: A novel metastable
consensus protocol family for cryptocurrencies,” Tech. Rep.,
2018, accessed: 2021-12-01. [Online]. Available: https://ipfs.io/
ipfs/QmUy4jh5mGNZvLkjies1RWM4YuvJh5o2FYopNPVYwrRVGV
[50] G. A. F. Rebello, G. F. Camilo, L. Guimaraes, L. A. C. de Souza,
and O. Duarte, “Security and performance analysis of quorum-based
blockchain consensus protocols,” Electrical Engineering Program,
COPPE/UFRJ, Tech. Rep, 2020.
[51] S. Nakamoto, “Bitcoin: a peer-to-peer electronic cash system,” 2008.
[52] V. K. Bagaria, S. Kannan, D. Tse, G. C. Fanti, and P. Viswanath,
“Prism: Deconstructing the blockchain to approach physical limits,” in
Proceedings of the 2019 ACM SIGSAC Conference on Computer and
Communications Security, CCS 2019, London, UK, November 11-15,
2019, 2019, pp. 585–602.
[53] V. Pareto, Cours d’Économie Politique: Nouvelle édition par G.-H.
Bousquet et G. Busino. Librairie Droz, 1964.
[54] R. Frank, “The wealthiest 10% of americans own a record 89% of all
u.s. stocks,” https://www.cnbc.com/2021/10/18/the-wealthiest-10percent-
of-americans-own-a-record-89percent-of-all-us-stocks.html. [Online].
Available: https://www.cnbc.com/2021/10/18/the-wealthiest-10percent-
of-americans-own-a-record-89percent-of-all-us-stocks.html
[55] tendermint.com, “Tendermint,” accessed: 2021-07-21 https://docs.
tendermint.com/master/.
[56] M. Lokhava, G. Losa, D. Mazières, G. Hoare, N. Barry, E. Gafni, J. Jove,
R. Malinowsky, and J. McCaleb, “Fast and secure global payments
with stellar,” in Proceedings of the 27th ACM Symposium on Operating
Systems Principles (SOSP), 2019, pp. 80–96.
[57] G. G. Gueta, I. Abraham, S. Grossman, D. Malkhi, B. Pinkas, M. K.
Reiter, D.-A. Seredinschi, O. Tamir, and A. Tomescu, “SBFT: a scalable
and decentralized trust infrastructure,” in Proceedings of the 49th
Annual IEEE/IFIP International Conference on Dependable Systems
and Networks (DSN), 2019.
[58] VMware, “Concord,” accessed: 2020-11-28, https://github.com/vmware/
concord.
[59] “Ethereum Proof-of-Authority Consortium - Azure,”
https://docs.microsoft.com/en-us/azure/blockchain/templates/ethereum-
poa-deployment. [Online]. Available: https://docs.microsoft.com/en-
us/azure/blockchain/templates/ethereum-poa-deployment

12