Skip to main content

Configure QBFT consensus

Hyperledger Besu implements the QBFT proof of authority (PoA) consensus protocol. QBFT is the recommended enterprise-grade consensus protocol for private networks.

In QBFT networks, approved accounts, known as validators, validate transactions and blocks. Validators take turns to create the next block. Before inserting the block onto the chain, a super-majority (greater than or equal to 2/3) of validators must first sign the block.

Existing validators propose and vote to add or remove validators.

You can create a private network using QBFT.

caution

Configure your network to ensure you never lose more than 1/3 your validators. If more than 1/3 of validators stop participating, new blocks are no longer created, and the network stalls. It may take significant time to recover once nodes are restarted.

tip

You can use a plugin to securely store a validator's key using the --security-module option.

Genesis file

To use QBFT, define a genesis file that contains the QBFT properties.

The genesis file differs depending on the validator management method you intend to use.

note

You can use a transitions to change the blockperiodseconds or validator management method of the network at a later time.

{
  "config": {
    "chainid": 1337,
    "berlinBlock": 0,
    "qbft": {
      "epochlength": 30000,
      "blockperiodseconds": 5,
      "requesttimeoutseconds": 10
    }
  },
  "nonce": "0x0",
  "timestamp": "0x5b3d92d7",
  "extraData": "0xf87aa00000000000000000000000000000000000000000000000000000000000000000f8549464a702e6263b7297a96638cac6ae65e6541f4169943923390ad55e90c237593b3b0e401f3b08a0318594aefdb9a738c9f433e5b6b212a6d62f6370c2f69294c7eeb9a4e00ce683cf93039b212648e01c6c6b78c080c0",
  "gasLimit": "0x29b92700",
  "difficulty": "0x1",
  "mixHash": "0x63746963616c2062797a616e74696e65206661756c7420746f6c6572616e6365",
  "coinbase": "0x0000000000000000000000000000000000000000",
  "alloc": {
    "64d9be4177f418bcf4e56adad85f33e3a64efe22": {
      "balance": "0x446c3b15f9926687d2c40534fdb564000000000000"
    },
    "9f66f8a0f0a6537e4a36aa1799673ea7ae97a166": {
      "balance": "0x446c3b15f9926687d2c40534fdb564000000000000"
    },
    "a7f25969fb6f3d5ac09a88862c90b5ff664557a7": {
      "balance": "0x446c3b15f9926687d2c40534fdb564000000000000"
    },
    "f4bbfd32c11c9d63e9b4c77bb225810f840342df": {
      "balance": "0x446c3b15f9926687d2c40534fdb564000000000000"
    }
  },
  "number": "0x0",
  "gasUsed": "0x0",
  "parentHash": "0x0000000000000000000000000000000000000000000000000000000000000000"
}

The QBFT properties are:

  • blockperiodseconds - The minimum block time, in seconds.
  • epochlength - The number of blocks after which to reset all votes.
  • requesttimeoutseconds - The timeout for each consensus round before a round change, in seconds.
  • blockreward - Optional reward amount in Wei to reward the beneficiary. Defaults to zero (0). Can be specified as a hexadecimal (with 0x prefix) or decimal string value. If set, then all nodes on the network must use the identical value.
  • validatorcontractaddress - Address of the validator smart contract. Required only if using a contract validator selection. The address must be identical to the address in the alloc section. This option can also be used in the transitions configuration item if swapping validator management methods in an existing network.
  • miningbeneficiary - Optional beneficiary of the blockreward. Defaults to the validator that proposes the block. If set, then all nodes on the network must use the same beneficiary.
  • extraData - RLP encoded extra data.
caution

We don't recommend changing epochlength in a running network. Changing the epochlength after genesis can result in illegal blocks.

Invalid block header error

When adding a new node, if a TimeStampMoreRecentThanParent | Invalid block header error occurs, the genesis file of the new node specifies a higher blockperiodseconds than the imported chain. The imported chain makes new blocks faster than the genesis file allows and Besu rejects them with this error. This error most often occurs when importing chains from older versions of Besu.

Decrease the blockperiodseconds in the new QBFT genesis file to a lower value that satisfies the block header validation.

If the error reads | TimestampMoreRecentThanParent | Invalid block header: timestamp 1619660141 is only 3 seconds newer than parent timestamp 1619660138. Minimum 4 seconds, decrease the blockperiodseconds from 4 seconds to 3 seconds to match the imported chain.

After you update the new genesis file, if the imported chain has a blockperiodseconds value set lower than you prefer, you can adjust it by configuring the block time on an existing QBFT network.

The properties with specific values in the QBFT genesis files are:

  • difficulty - 0x1
  • mixHash - 0x63746963616c2062797a616e74696e65206661756c7420746f6c6572616e6365 for Istanbul block identification

To start a node on a QBFT private network, use the --genesis-file option to specify the custom genesis file.

Extra data

The extraData property is an RLP encoding of:

  • 32 bytes of vanity data.
  • If using:
  • Any validator votes. No vote is included in the genesis block.
  • The round the block was created on. The round in the genesis block is 0.
  • A list of seals of the validators (signed block hashes). No seals are included in the genesis block.

When using block header validator selection, the important information in the genesis block extra data is the list of validators. All other details have empty values in the genesis block.

info

When using contract validator selection to manage validators, the list of validators is configured in the alloc property's storage section. View the example smart contract for more information on how to generate the storage section.

Formally, extraData in the genesis block contains:

  • If using block header validator selection: RLP([32 bytes Vanity, List<Validators>, No Vote, Round=Int(0), 0 Seals]).
  • If using contract validator selection: RLP([32 bytes Vanity, 0 Validators, No Vote, Round=Int(0), 0 Seals]).
info

RLP encoding is a space-efficient object serialization scheme used in Ethereum.

Generate extra data

To generate the extraData RLP string for inclusion in the genesis file, use the rlp encode Besu subcommand.

Example
besu rlp encode --from=toEncode.json --type=QBFT_EXTRA_DATA

Where the toEncode.json file contains a list of the initial validators, in ascending order. To write the validator address and copy it to the toEncode.json file, use the public-key export-address Besu subcommand. For example:

Initial validators in toEncode.json file
[
  "0x4592c8e45706cc08b8f44b11e43cba0cfc5892cb",
  "0x06e23768a0f59cf365e18c2e0c89e151bcdedc70",
  "0xc5327f96ee02d7bcbc1bf1236b8c15148971e1de",
  "0xab5e7f4061c605820d3744227eed91ff8e2c8908"
]

Copy the RLP encoded data to the extraData property in the genesis file.

RLP encoded data
0xf87aa00000000000000000000000000000000000000000000000000000000000000000f854944592c8e45706cc08b8f44b11e43cba0cfc5892cb9406e23768a0f59cf365e18c2e0c89e151bcdedc7094c5327f96ee02d7bcbc1bf1236b8c15148971e1de94ab5e7f4061c605820d3744227eed91ff8e2c8908c080c0

When you start the network, the four nodes previously specified in toEncode.json are the validators for the network.

Block time

When the protocol receives a new chain head, the block time (blockperiodseconds) timer starts. When blockperiodseconds expires, the round timeout (requesttimeoutseconds) timer starts and the protocol proposes a new block.

If requesttimeoutseconds expires before adding the proposed block, a round change occurs, with the block time and timeout timers reset. The timeout period for the new round is two times requesttimeoutseconds. The timeout period continues to double each time a round fails to add a block.

Usually, the protocol adds the proposed block before reaching requesttimeoutseconds. A new round then starts, resetting the block time and round timeout timers. When blockperiodseconds expires, the protocol proposes the next new block.

danger

If more than 1/3 of validators stop participating, new blocks can no longer be created and requesttimeoutseconds doubles with each round change. The quickest method to resume block production is to restart all validators, which resets requesttimeoutseconds to its genesis value.

Once blockperiodseconds is over, the time from proposing a block to adding the block is small (usually around one second) even in networks with geographically dispersed validators.

Tune block timeout

To tune the block timeout for your network deployment:

  1. Set blockperiodseconds to your desired block time and requesttimeoutseconds to two times blockperiodseconds.
  2. Reduce requesttimeoutseconds until you start to see round changes occurring.
  3. Increase requesttimeoutseconds to the value where round changes are no longer occurring.
tip

View TRACE logs to see round change log messages.

Use a transition to update the blockperiodseconds in an existing network.

Optional configuration options

Optional configuration options in the genesis file are:

  • messageQueueLimit - In large networks with limited resources, increasing the message queue limit might help with message activity surges. The default is 1000.
  • duplicateMessageLimit - If the same node is retransmitting messages, increasing the duplicate message limit might reduce the number of retransmissions. A value of two to three times the number of validators is usually enough. The default is 100.
  • futureMessagesLimit - The future messages buffer holds messages for a future chain height. For large networks, increasing the future messages limit might be useful. The default is 1000.
  • futureMessagesMaxDistance - The maximum height from the current chain height for buffering messages in the future messages buffer. The default is 10.

Post-Merge configuration

After The Merge, the following block fields are modified or deprecated. Their fields must contain only the constant values from the following chart.

FieldConstant valueComment
ommersHash0x1dcc4de8dec75d7aab85b567b6ccd41ad312451b948a7413f0a142fd40d49347= Keccak256(RLP([]))
difficulty0Replaced with prevrandao
mixHash0x0000000000000000000000000000000000000000000000000000000000000000Replaced with prevrandao
nonce0x0000000000000000
ommers[]RLP([]) = 0xc0

Additionally, extraData is limited to the 32 bytes of vanity data after The Merge.

Add and remove validators

QBFT provides two methods to manage validators:

You can use transitions to swap between block header validator selection and contract validator selection in an existing network.

For block header validator selection, initial validators are configured in the genesis file's extraData property, whereas the initial validators when using the contract validator selection method are configured in the genesis file's storage section.

Add and remove validators using block headers

Enable the HTTP interface with --rpc-http-enabled or the WebSockets interface with --rpc-ws-enabled.

The QBFT API methods are disabled by default. To enable them, specify the --rpc-http-api or --rpc-ws-api option and include QBFT.

The methods to add or remove validators are:

To view validator metrics for a specified block range, use qbft_getSignerMetrics.

note

If network conditions render it impossible to add and remove validators by voting, you can add and remove validators without voting.

Add a validator

To propose adding a validator, call qbft_proposeValidatorVote, specifying the address of the proposed validator and true. A majority of validators must execute the call.

JSON-RPC qbft_proposeValidatorVote request example
curl -X POST --data '{"jsonrpc":"2.0","method":"qbft_proposeValidatorVote","params":["0xFE3B557E8Fb62b89F4916B721be55cEb828dBd73", true], "id":1}' <JSON-RPC-endpoint:port>

When the validator proposes the next block, the protocol inserts one proposal received from qbft_proposeValidatorVote into the block. If blocks include all proposals, subsequent blocks proposed by the validator will not contain a vote.

When more than 50% of the existing validators have published a matching proposal, the protocol adds the proposed validator to the validator pool and the validator can begin validating blocks.

To return a list of validators and confirm the addition of a proposed validator, use qbft_getValidatorsByBlockNumber.

JSON-RPC qbft_getValidatorsByBlockNumber request example
curl -X POST --data '{"jsonrpc":"2.0","method":"qbft_getValidatorsByBlockNumber","params":["latest"], "id":1}' <JSON-RPC-endpoint:port>

To discard your proposal after confirming the addition of a validator, call qbft_discardValidatorVote, specifying the address of the proposed validator.

JSON-RPC qbft_discardValidatorVote request example
curl -X POST --data '{"jsonrpc":"2.0","method":"qbft_discardValidatorVote","params":["0xFE3B557E8Fb62b89F4916B721be55cEb828dBd73"], "id":1}' <JSON-RPC-endpoint:port>

Remove a validator

The process for removing a validator is the same as adding a validator except you specify false as the second parameter of qbft_proposeValidatorVote.

Epoch transition

At each epoch transition, QBFT discards all pending votes collected from received blocks. Existing proposals remain in effect and validators re-add their vote the next time they create a block.

An epoch transition occurs every epochLength blocks. Define epochlength in the QBFT genesis file.

Add and remove validators using a smart contract

Users can create their own smart contracts to add or remove validators based on their organizational requirements. View the example smart contract for more information on how to create and deploy the smart contract.

You can pre-deploy the validator smart contract in a new QBFT network by specifying the contract details in the genesis file. For existing QBFT networks you need to compile and deploy the contract using a transaction, then obtain the contract address from the receipt and use that in a transition.

info

You can't use the JSON-RPC methods to add or remove validators when using a smart contract to manage nodes.

You must interact with the contract functions using transactions.

note

If network conditions render it impossible to add and remove validators using a smart contract, you can override smart contract validators.

Minimum number of validators

QBFT requires four validators to be Byzantine fault tolerant. Byzantine fault tolerance is the ability for a blockchain network to function correctly and reach consensus despite nodes failing or propagating incorrect information to peers.

Transitions

The transitions genesis configuration item allows you to specify a future block number at which to change QBFT network configuration in an existing network. For example, you can update the block time, block reward, validator management method, or mining beneficiary.

caution

Do not specify a transition block in the past. Specifying a transition block in the past could result in unexpected behavior, such as causing the network to fork.

Configure block time on an existing network

To update an existing network with a new blockperiodseconds:

  1. Stop all nodes in the network.

  2. In the genesis file, add the transitions configuration item where:

    • <FutureBlockNumber> is the upcoming block at which to change blockperiodseconds.
    • <NewValue> is the updated value for blockperiodseconds.
    {
      "config": {
        ...
        "qbft": {
          "blockperiodseconds": 2,
          "epochlength": 30000,
          "requesttimeoutseconds": 4
        },
        "transitions": {
          "qbft": [
            {
              "block": <FutureBlockNumber>,
              "blockperiodseconds": <NewValue>
            }
          ]
        }
      },
      ...
    }

  3. Restart all nodes in the network using the updated genesis file.

  4. To verify the changes after the transition block, call qbft_getValidatorsByBlockNumber, specifying latest.

Configure block rewards on an existing network deployment

To update an existing network with a new blockreward:

  1. Stop all nodes in the network.

  2. In the genesis file, add the transitions configuration item where:

    • <FutureBlockNumber> is the upcoming block at which to change blockreward.
    • <NewValue> is the updated value for blockreward.
    {
      "config": {
        ...
        "qbft": {
          "blockperiodseconds": 2,
          "epochlength": 30000,
          "requesttimeoutseconds": 4
          "blockreward": "5000000000000000"
        },
        "transitions": {
          "qbft": [
            {
              "block": <FutureBlockNumber>,
              "blockreward": <NewValue>
            },
            {
              "block": <FutureBlockNumber>,
              "blockreward": <NewValue>
            },
            {
              "block": <FutureBlockNumber>,
              "blockreward": <NewValue>
            }
          ]
        }
      },
      ...
    }
    note

    You can add multiple blockreward updates in one transition object by specifying multiple future blocks.

  3. Restart all nodes in the network using the updated genesis file.

Swap validator management methods

To swap between block header validator selection and contract validator selection methods in an existing network:

  1. Stop all nodes in the network.

  2. In the genesis file, add the transitions configuration item where:

    • <FutureBlockNumber> is the upcoming block at which to change the validator selection method.
    • <SelectionMode> is the validator selection mode to switch to. Valid options are contract and blockheader.
    • <ContractAddress> is the smart contract address, if switching to the contract validator selection method.
    {
      "config": {
        ...
        "qbft": {
          "blockperiodseconds": 5,
          "epochlength": 30000,
          "requesttimeoutseconds": 10
        },
        "transitions": {
          "qbft": [
            {
              "block": <FutureBlockNumber>,
              "validatorselectionmode": <SelectionMode>,
              "validatorcontractaddress": <ContractAddress>
            }
          ]
        }
      },
      ...
    }

  3. Restart all nodes in the network using the updated genesis file.

Configure the mining beneficiary on an existing network deployment

To update an existing network with a new mining beneficiary:

  1. Stop all nodes in the network.

  2. In the genesis file, add the transitions configuration item where:

    • <FutureBlockNumber> is the upcoming block at which to change miningbeneficiary.
    • <NewAddress> is the updated 20-byte address for miningbeneficiary. Starting at <FutureBlockNumber>, block rewards go to this address.
    {
      "config": {
        ...
        "qbft": {
          "blockperiodseconds": 5,
          "epochlength": 30000,
          "requesttimeoutseconds": 10
        },
        "transitions": {
          "qbft": [
          {
            "block": <FutureBlockNumber>,
            "miningbeneficiary": <NewAddress>
          },
          {
            "block": <FutureBlockNumber>,
            "miningbeneficiary": <NewAddress>
          }
          ]
        }
      },
      ...
    }
    note

    Setting the miningbeneficiary to an empty value clears out any override so that block rewards go to the block producer rather than a global override address.

  3. Restart all nodes in the network using the updated genesis file.

[vanity data]: Validators can include anything they like as vanity data. [RLP]: Recursive Length Prefix