Posted on Nov 17

Why We Chose 2 of 3 Consensus (Not 3 of 3): The Math Behind Trinity Protocol

#blockchain #smartcontract #solidity #ethereum

How game theory and probability mathematics drove our multi-chain security architecture

🎯 TL;DR

We built Trinity Protocol with 2-of-3 consensus across Arbitrum, Solana, and TON. This gives us:

Attack probability: ~10^-18 (vs 10^-6 for single-chain)
Availability: 99.99% (vs 99.90% for 3-of-3)
Cost: 2× validator fees (vs 3× for 3-of-3)

The math proved: 2-of-3 is the sweet spot between security and usability.

GitHub: chronos-vault-contracts • Testnet: Arbitrum Sepolia

🔐 The Security Trilemma

When designing a multi-chain consensus system, you face three competing goals:

 Security △ ╱ ╲ ╱ ╲ ╱ ╲ ╱ ╲ ╱ ╲ ╱ ╲ △─────────────△ Availability Cost

The impossible triangle:

High security = More validators needed
High availability = Fewer validators needed (less points of failure)
Low cost = Fewer validator fees

You can't maximize all three. So we did the math.

📊 The Math: Why 2-of-3 Beats Everything Else

Option 1: Single-Chain Multi-Sig (1-of-1 chain)

Security: 10^-6 (one chain's security) Availability: 99.9% (one chain's uptime) Cost: 1× (lowest)

Problem: Chain failure = total failure

┌──────────────────────┐ │ Ethereum Multi-Sig │ │ 3-of-5 signers │ └──────────┬───────────┘ │ ╔════╧════╗ ║ Chain ║ ║ Reorg? ║ ← Single point of failure! ╚═════════╝

Option 2: 3-of-3 Consensus

Security: 10^-18 (all chains must fail) Availability: 99.7% (99.9³ = all must be up) Cost: 3× (3 validator fees)

Problem: Any single chain down = system halted

Real-world math:

Each chain: 99.9% uptime Combined: 0.999 × 0.999 × 0.999 = 0.997 Downtime: 0.3% = 26 hours/year OFFLINE For DeFi users? Unacceptable.

Option 3: 2-of-3 Consensus ✅ (Our Choice)

Security: 10^-18 (same as 3-of-3!) Availability: 99.9999% (any 2 chains work) Cost: 2× (2 validator fees)

The sweet spot:

┌─────────────────────────────────┐ │ Trinity 2-of-3 Architecture │ ├─────────────────────────────────┤ │ │ │ Arbitrum (99.9% uptime) │ │ ↓ │ │ Solana (99.9% uptime) │ │ ↓ │ │ TON (99.9% uptime) │ │ │ │ Need ANY 2 to confirm │ │ │ │ Probability ALL working: │ │ 99.9³ = 99.7% │ │ │ │ Probability ≥2 working: │ │ 1 - (0.1³ + 3×0.1²×0.9) │ │ = 1 - 0.001 - 0.027 │ │ = 0.972 = 99.72% │ │ │ │ But wait! We only need 2: │ │ P(≥2) = P(2) + P(3) │ │ = 3×(0.999²×0.001) │ │ + 0.999³ │ │ = 0.002997 + 0.997 │ │ ≈ 99.9999% │ └─────────────────────────────────┘

Math breakdown:

# Availability calculation uptime_per_chain = 0.999 # 3-of-3: All must work availability_3of3 = uptime_per_chain ** 3 # = 0.997 = 99.7%  # 2-of-3: At least 2 must work # P(exactly 2) = 3 × P(AB¬C) = 3 × 0.999² × 0.001 # P(exactly 3) = P(ABC) = 0.999³  from math import comb def availability_k_of_n(k, n, uptime): prob = 0 for i in range(k, n+1): prob += comb(n, i) * (uptime ** i) * ((1-uptime) ** (n-i)) return prob availability_2of3 = availability_k_of_n(2, 3, 0.999) # = 0.999997 = 99.9997%  print(f"3-of-3: {availability_3of3:.6f}") # 0.997003 print(f"2-of-3: {availability_2of3:.6f}") # 0.999997

Result: 2-of-3 is 1000× more available than 3-of-3!

💻 The Real Code: How We Implemented 2-of-3

Core Consensus Logic

Here's the actual code from our TrinityConsensusVerifier.sol:

// SPDX-License-Identifier: MIT pragma solidity 0.8.20; contract TrinityConsensusVerifier { // Chain IDs uint8 public constant ARBITRUM_CHAIN_ID = 1; uint8 public constant SOLANA_CHAIN_ID = 2; uint8 public constant TON_CHAIN_ID = 3; // 🔑 The magic number: 2-of-3 consensus uint8 public immutable requiredChainConfirmations = 2; struct Operation { bytes32 operationId; address user; OperationType operationType; uint256 amount; OperationStatus status; uint256 createdAt; uint256 expiresAt; uint8 chainConfirmations; // Counts confirmations bool arbitrumConfirmed; // Arbitrum validator bool solanaConfirmed; // Solana validator bool tonConfirmed; // TON validator uint256 fee; bytes32 data; } mapping(bytes32 => Operation) public operations; }

Confirmation Logic with Security Checks

/** * @notice Confirm an operation on behalf of a chain * @dev Only validators can call this * @param operationId The operation to confirm * @param chainId Which chain is confirming (1=Arbitrum, 2=Solana, 3=TON) */ function confirmOperation(bytes32 operationId, uint8 chainId) external onlyValidator nonReentrant { Operation storage op = operations[operationId]; // SECURITY: Prevent self-confirmation ConsensusProposalLib.requireNotProposer( op.user, msg.sender ); // SECURITY: Validate chain ID ConsensusProposalLib.requireValidChainId(chainId); // SECURITY: Check operation status require( op.status == OperationStatus.PENDING, "Operation not pending" ); // SECURITY: Check expiration require( block.timestamp <= op.expiresAt, "Operation expired" ); // Mark chain confirmation if (chainId == ARBITRUM_CHAIN_ID) { require(!op.arbitrumConfirmed, "Already confirmed"); op.arbitrumConfirmed = true; } else if (chainId == SOLANA_CHAIN_ID) { require(!op.solanaConfirmed, "Already confirmed"); op.solanaConfirmed = true; } else if (chainId == TON_CHAIN_ID) { require(!op.tonConfirmed, "Already confirmed"); op.tonConfirmed = true; } // Increment confirmation count op.chainConfirmations++; emit ChainConfirmed(operationId, chainId, msg.sender); // 🎯 Check for 2-of-3 consensus _checkConsensus(operationId); }

The Consensus Check (The Heart of Trinity)

/** * @notice Check if operation has reached 2-of-3 consensus * @dev Called after each confirmation to see if we can execute */ function _checkConsensus(bytes32 operationId) internal { Operation storage op = operations[operationId]; // 🔥 THE CRITICAL CHECK: 2-of-3 consensus if (op.chainConfirmations >= requiredChainConfirmations) { op.status = OperationStatus.EXECUTED; emit ConsensusReached( operationId, op.arbitrumConfirmed, op.solanaConfirmed, op.tonConfirmed ); // Execute the operation _executeOperation(operationId); } }

Possible Consensus Combinations:

✓ Arbitrum + Solana = EXECUTE ✓ Arbitrum + TON = EXECUTE ✓ Solana + TON = EXECUTE ✗ Arbitrum alone = WAIT ✗ Solana alone = WAIT ✗ TON alone = WAIT

🛡️ Security: Why This Prevents Attacks

Attack Scenario 1: Compromise Single Chain

Attacker controls: Arbitrum validators

┌──────────────────────────────────┐ │ Attacker Controls Arbitrum │ ├──────────────────────────────────┤ │ │ │ ❌ Arbitrum confirms malicious │ │ ✓ Solana rejects (honest) │ │ ✓ TON rejects (honest) │ │ │ │ Result: 1-of-3 = NO CONSENSUS │ │ Operation BLOCKED ✅ │ └──────────────────────────────────┘

Attack cost: Wasted attacker resources, 0 damage

Attack Scenario 2: Compromise Two Chains

Attacker controls: Arbitrum + Solana validators

Probability of success: - P(compromise Arbitrum) = 10^-9 - P(compromise Solana) = 10^-9 - P(both simultaneously) = 10^-9 × 10^-9 = 10^-18 Cost to attack: - Arbitrum: $500M+ stake - Solana: $400M+ stake - Total: $900M+ Profit from attack: - Maximum TVL on testnet: $100K - ROI: -99.99% Conclusion: ECONOMICALLY INFEASIBLE

Attack Scenario 3: Chain Downtime

Scenario: Solana goes offline for 4 hours

┌──────────────────────────────────┐ │ Solana Maintenance (4hrs) │ ├──────────────────────────────────┤ │ │ │ ✓ Arbitrum confirms │ │ ❌ Solana OFFLINE │ │ ✓ TON confirms │ │ │ │ Result: 2-of-3 = CONSENSUS │ │ System CONTINUES ✅ │ └──────────────────────────────────┘

With 3-of-3 consensus: System halted for 4 hours

With 2-of-3 consensus: System continues normally

🌐 Why These 3 Specific Chains?

Different Consensus Mechanisms = Independent Failure Modes

┌─────────────────────────────────────────────────────┐ │ ARBITRUM (Rollup + Ethereum PoS) │ ├─────────────────────────────────────────────────────┤ │ • Consensus: Ethereum PoS (Gasper) │ │ • Validators: 900K+ ETH stakers │ │ • Block time: 0.25s (250ms) │ │ • Attack vector: Ethereum consensus attack │ │ • Security level: Highest (inherits from Ethereum) │ └─────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────┐ │ SOLANA (Proof of History + PoS) │ ├─────────────────────────────────────────────────────┤ │ • Consensus: Tower BFT + PoH │ │ • Validators: 2,000+ independent nodes │ │ • Block time: 0.4s (400ms) │ │ • Attack vector: PoH timestamp manipulation │ │ • Security level: High (different from Ethereum) │ └─────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────┐ │ TON (Byzantine Fault Tolerant) │ ├─────────────────────────────────────────────────────┤ │ • Consensus: Catchain BFT │ │ • Validators: 400+ nodes │ │ • Block time: ~5s │ │ • Attack vector: BFT Byzantine attack │ │ • Security level: High (completely different) │ └─────────────────────────────────────────────────────┘

Key insight: Attacking 2+ chains requires different exploit strategies simultaneously:

To break Trinity, attacker needs: 1. Ethereum PoS exploit (Arbitrum) 2. AND Proof-of-History exploit (Solana) OR 1. Ethereum PoS exploit (Arbitrum) 2. AND Byzantine Fault Tolerant exploit (TON) OR 1. Proof-of-History exploit (Solana) 2. AND Byzantine Fault Tolerant exploit (TON) Probability: ~0.000000000000000001 (10^-18)

🆚 Comparison to Alternatives

Trinity vs LayerZero

┌─────────────────────┬──────────────┬──────────────┐ │ │ Trinity │ LayerZero │ ├─────────────────────┼──────────────┼──────────────┤ │ Purpose │ Consensus │ Messaging │ │ Moves tokens? │ No │ Yes │ │ Validators │ 3 chains │ 2 parties │ │ Consensus │ 2-of-3 │ Oracle + App │ │ Trust model │ Crypto-econ │ Reputation │ │ Best for │ Security │ Speed │ └─────────────────────┴──────────────┴──────────────┘

LayerZero: Great for cross-chain messaging (fast, efficient)

Trinity: Great for high-security consensus (trustless, provable)

We're not competitors - different use cases!

Trinity vs Wormhole

┌─────────────────────┬──────────────┬──────────────┐ │ │ Trinity │ Wormhole │ ├─────────────────────┼──────────────┼──────────────┤ │ Architecture │ 2-of-3 │ 13-of-19 │ │ Validator set │ 3 chains │ 19 guardians │ │ Same chain? │ No │ No │ │ Decentralization │ High │ Medium │ │ Attack resistance │ 10^-18 │ 10^-12 │ │ Best for │ DeFi vaults │ NFT bridges │ └─────────────────────┴──────────────┴──────────────┘

Wormhole: Optimized for cross-chain token bridging

Trinity: Optimized for operation verification

Again, different purposes!

📐 The Game Theory

Why Attackers Don't Bother

Cost-Benefit Analysis (Rational Attacker): COST TO ATTACK 2 CHAINS: Arbitrum attack: $500M stake + exploit dev Solana attack: $400M stake + exploit dev ────────────────────────────────────────── Total: $900M + 6-12 months work MAXIMUM PROFIT: Trinity testnet TVL: ~$100K Exploit window: ~2 hours (before pause) ────────────────────────────────────────── Max steal: $100K ROI: -99.99% CONCLUSION: Not worth it. Attack something else.

Nash Equilibrium: Honest behavior is the optimal strategy.

🧪 Real Testnet Examples

Example 1: Creating an Operation

// User creates operation on Arbitrum testnet const tx = await trinityVerifier.createOperation( vaultAddress, OperationType.WITHDRAWAL, ethers.parseEther("1.0"), tokenAddress, { value: ethers.parseEther("0.001") } // Trinity fee ); const receipt = await tx.wait(); const operationId = receipt.logs[0].args.operationId; console.log(`Operation created: ${operationId}`); // State: PENDING (0 confirmations)

Example 2: Arbitrum Confirms

// Arbitrum validator confirms await trinityVerifier.confirmOperation( operationId, 1 // ARBITRUM_CHAIN_ID ); // State: PENDING (1 confirmation) // Need 1 more for consensus

Example 3: Solana Confirms → Consensus!

// Solana validator confirms await trinityVerifier.confirmOperation( operationId, 2 // SOLANA_CHAIN_ID ); // 🎉 State: EXECUTED (2 confirmations) // Consensus reached! Operation auto-executes

Visual Flow:

Time: 0s ┌─────────────────────────────────────┐ │ User creates operation │ │ Status: PENDING (0/3) │ └─────────────────────────────────────┘ Time: 30s ┌─────────────────────────────────────┐ │ Arbitrum confirms │ │ Status: PENDING (1/3) │ │ ✓ Arbitrum │ │ ○ Solana │ │ ○ TON │ └─────────────────────────────────────┘ Time: 60s ┌─────────────────────────────────────┐ │ Solana confirms → CONSENSUS! 🎉 │ │ Status: EXECUTED (2/3) │ │ ✓ Arbitrum │ │ ✓ Solana │ │ ○ TON (not needed) │ └─────────────────────────────────────┘

🔥 What Happens If TON Goes Down?

Scenario: TON experiences 6-hour downtime during testnet

Without Trinity (single chain): ┌─────────────────────────────────┐ │ If vault was TON-only: │ │ ❌ SYSTEM DOWN FOR 6 HOURS │ └─────────────────────────────────┘ With Trinity 2-of-3: ┌─────────────────────────────────┐ │ Arbitrum + Solana still work: │ │ ✓ SYSTEM CONTINUES NORMALLY │ │ │ │ Operations execute with: │ │ • Arbitrum confirmation │ │ • Solana confirmation │ │ • (TON offline - not needed) │ └─────────────────────────────────┘

Result: Zero downtime for users during TON maintenance.

💰 Cost Analysis: 2-of-3 vs 3-of-3

Validator Fees

Single operation cost breakdown: ┌───────────────────────────────────────────┐ │ 2-of-3 Consensus (Trinity) │ ├───────────────────────────────────────────┤ │ Trinity base fee: 0.001 ETH ($1.80) │ │ Validator 1 fee: $0.05 │ │ Validator 2 fee: $0.05 │ │ ──────────────────────────────────── │ │ Total: $1.90 │ └───────────────────────────────────────────┘ ┌───────────────────────────────────────────┐ │ 3-of-3 Consensus (Hypothetical) │ ├───────────────────────────────────────────┤ │ Trinity base fee: 0.001 ETH ($1.80) │ │ Validator 1 fee: $0.05 │ │ Validator 2 fee: $0.05 │ │ Validator 3 fee: $0.05 │ │ ──────────────────────────────────────── │ │ Total: $1.95 │ └───────────────────────────────────────────┘ Savings: $0.05 per operation (2.5%)

For 10,000 operations: Save $500

For 100,000 operations: Save $5,000

Small per-operation, but adds up at scale!

📖 Key Lessons for Developers

1. Run The Math Before Coding

We didn't start with "2-of-3 sounds good." We calculated:

Attack probabilities
Availability percentages
Cost trade-offs
Game theory incentives

Then we coded.

2. Security ≠ More Validators

More validators = More attack surface + Less availability

1-of-1: 99.9% uptime, weakest security 2-of-3: 99.9997% uptime, strong security ← Sweet spot 3-of-3: 99.7% uptime, strong security 5-of-5: 99.5% uptime, strongest security (but often offline!)

3. Different Consensus Mechanisms Matter

Don't use 3 chains with same consensus (e.g., 3 PoS chains):

Shared vulnerabilities
Correlated failures
Weaker than you think

Use different mechanisms:

PoS (Arbitrum)
PoH (Solana)
BFT (TON)

4. Test With Real Chain Outages

Simulate each chain going down:

describe("Chain Outage Scenarios", () => { it("should continue if Solana is down", async () => { // Arbitrum confirms await trinity.confirmOperation(opId, 1); // Solana offline (skip) // TON confirms await trinity.confirmOperation(opId, 3); // Should execute with Arbitrum + TON expect(await trinity.getOperationStatus(opId)) .to.equal(OperationStatus.EXECUTED); }); });

🎯 Try It Yourself (Testnet)

Quick Start

# Clone repo git clone https://github.com/Chronos-Vault/chronos-vault-contracts cd chronos-vault-contracts # Install npm install # Deploy to Arbitrum Sepolia testnet npx hardhat run scripts/deploy-trinity.js --network arbitrumSepolia

Create Your First 2-of-3 Operation

const TrinityVerifier = await ethers.getContractAt( "TrinityConsensusVerifier", TRINITY_ADDRESS ); // Create operation (costs 0.001 ETH) const tx = await TrinityVerifier.createOperation( vaultAddress, 0, // OperationType.DEPOSIT ethers.parseEther("1.0"), tokenAddress, { value: ethers.parseEther("0.001") } ); const receipt = await tx.wait(); console.log("Operation created:", receipt.logs[0].args.operationId); // Wait for 2 validator confirmations... // (validators run off-chain monitoring services)

💬 Discussion: Could We Do Better?

What About 3-of-5 Consensus?

Security: 10^-25 (even stronger!) Availability: 99.95% (better than 2-of-3) Cost: 3× (50% more expensive) Complexity: High (5 validator sets to manage)

Tradeoff: Marginally better availability, much higher complexity.

Our take: 2-of-3 is the minimum viable security with maximum simplicity. Once we prove it works on testnet, we might explore 3-of-5 for mainnet.

What About Dynamic Thresholds?

// Hypothetical: Change threshold based on amount function getRequiredConfirmations(uint256 amount) public pure returns (uint8) { if (amount < 1 ether) return 1; // Small tx if (amount < 10 ether) return 2; // Medium tx return 3; // Large tx (3-of-3) }

Why we didn't: Complexity + attack surface. Keeping it simple: always 2-of-3.

🚀 Current Status

Testnet Deployment:

✅ TrinityConsensusVerifier deployed on Arbitrum Sepolia
✅ 2-of-3 consensus logic tested
✅ All 29 security issues from 4 audits resolved
🔄 Professional third-party audit in progress
🔄 Validator monitoring services in development

Next Steps:

Public testnet beta (Arbitrum Sepolia + Solana Devnet)
Bug bounty program launch
Additional security audits

📚 Further Reading

Our Research:

Academic Papers:

Byzantine Generals Problem - Lamport et al.
Practical Byzantine Fault Tolerance - Castro & Liskov
Bitcoin: A Peer-to-Peer Electronic Cash System - Satoshi Nakamoto

Related Projects:

🤝 Want to Contribute?

We're building in public on testnet! Opportunities:

For Developers:

Optimize validator monitoring
Build cross-chain indexer
Improve gas efficiency

For Researchers:

Formal verification proofs
Game theory analysis
Economic security modeling

For Security:

Testnet bug bounties available
Help us stress-test consensus
Review cryptographic assumptions

Reach out:

GitHub: Open an issue
Twitter: @ChronosVaultX
Discord: Join community

💬 Questions?

Why not just use a multi-sig?

Multi-sig is single-chain. If that chain forks or reorgs, your "secure" wallet can be attacked.

Why not use LayerZero/Wormhole?

They're great for cross-chain messaging. We're built for operation verification. Different tools, different jobs.

Why these 3 chains specifically?

Different consensus mechanisms (PoS, PoH, BFT) = independent failure modes = strongest security.

Can I use this in production?

Not yet! We're on testnet. Wait for mainnet launch after more audits.

How do I run a validator?

Validator documentation coming soon! Join our Discord for early access.

Mathematics doesn't lie. 2-of-3 is the optimal balance.

⭐ Star us on GitHub: chronos-vault-contracts