FairWave: A Fairness-Aware Asynchronous DAG-BFT Consensus

Long-running Proof-of-Stake blockchains exhibit empirical centralization despite formally claiming decentralized governance [1, 2, 3]. Pure stake-based consensus protocols suffer from three well-characterized pathologies:

1. 1.

   Rich-get-richer dynamics. When rewards are proportional to stake, accumulated rewards compound into stake growth at a rate proportional to current holdings, inducing exponential divergence of the Herfindahl-Hirschman Index (HHI) toward one.

2. 2.

   Sybil vulnerability under sub-linear weighting. Alternative rules such as Square Root Stake Weighting (SRSW) $\sqrt{\text{stake}}$ or Logarithmic Stake Weighting (LSW) $\ln(1+\text{stake})$ that attempt to achieve fairness instead introduce Sybil gain proportional to $\sqrt{K}$ or $K$ respectively, where $K$ denotes the split factor.

3. 3.

   Plutocratic convergence. Under proportional rewards, the share of power of the top-1 validator increases monotonically, eventually violating the BFT safety threshold $f<n/3$.

These pathologies are not merely theoretical—empirical measurements on Ethereum 2.0, Cosmos Hub, and Solana mainnet show Nakamoto coefficients as low as 3–7 for the top staking pools [4, 5, 6].

This work presents the following contributions:

• •

  C1. A novel dual-channel consensus architecture in which selection weights and reward weights exhibit opposite curvature with respect to stake-mitigates the Sybil-fairness-plutocracy trilemma.

• •

  C2. A Closed-form analytical derivation of Sybil gain bounds for four reward rules (Pure-PoS, SRSW, LSW, FairWave), validated to machine precision ($\epsilon=0.0$) against $20,160$ numerical evaluation cells.

• •

  C3. Empirical evaluation of nine tasks spanning approximately $550,000$ Monte Carlo rounds, compared against potocol models representing Narwhal+Tusk [7], Bullshark [8], Mysticeti [9], HotStuff [10], HotStuff-2, PBFT [11], Tendermint [12], and Algorand [13] under a unified simulation framework.

• •

  C4. Quantitative characterization of robustness via One-At-a-Time (OAT) elasticity analysis, Sobol variance decomposition, and combined perturbation mapping—To the best of our knowledge, this work presents the first sensitivity analysis applied to DAG-BFT consensus parameters.

Section II surveys related work. Section III formalizes the threat model and system model. Section IV presents the FairWave protocol design. Section V derives the mathematical foundations. Section VI describes the empirical methodology. Section VII presents results from nine evaluation tasks. Section VIII discusses trade-offs, and Section X concludes.

Classical PBFT [11] achieves Byzantine agreement under partial synchrony with message complexity $O(n^{2})$ per view. HotStuff [10] reduces view-change complexity to $O(n)$ via threshold signatures and pipelined chain structure. HotStuff-2 [14] further optimizes to two-phase commit with optimal responsiveness. The DAG-BFT paradigm, initiated by DAG-Rider [15] and Narwhal+Tusk [7], separate data dissemination from consensus ordering by embedding transactions in a structured Directed Acyclic Graph (DAG). Subsequent refinements—Bullshark [8] (reducing commit latency to 2 waves), Shoal [16] (pipelining and leader reputation), Mysticeti [9] (achieving fast-path commit sub-wave), and Shoal++ [17] (near-optimal latency)—further optimize the latency-throughput frontier while maintaining Byzantine tolerance $f<n/3$.

The choice of stake-to-weight mapping fundamentally determines the Sybil resistance and fairness properties of a protocol. Table I summarizes four representative rules.

Pure-PoS (Algorand, Tendermint) is Sybil-neutral: stake splitting yields neither gain nor loss. SRSW (used conceptually in Cosmos governance discussions [18]) introduces sub-linear fairness at the cost of Sybil gain $\sqrt{K}$. LSW worsens vulnerability to approximately linear gain relative to split factor, rendering it catastrophically exploitable. Alternative approaches to address wealth compounding have been proposed [19, 20, 21], but none simultaneously mitigates the Sybil-fairness-plutocracy trilemma.

We employ three complementary decentralization metrics: the Nakamoto coefficient [4, 5] (minimum coalition to achieve a $1/3$ threshold, Fig. 1); the Gini coefficient (inequality of reward distribution); and the Herfindahl-Hirschman Index (HHI, sum of squared market shares). These metrics capture different aspects of centralization: coalition vulnerability, distributional inequality, and concentration.

To the best of our knowledge, variance-based sensitivity analysis (Sobol indices [22]) has not previously been applied to characterize DAG-BFT consensus robustness. To the best of our knowledge, this work presents the first quantitative input sensitivity analysis for DAG-BFT consensus, providing peer-reviewed evidence of parametric stability.

We consider a set of $n$ validators $\mathcal{V}=\{v_{1},\ldots,v_{n}\}$ with $n\geq 4$, each possessing attributes $(s_{i},u_{i},\text{rep}_{i},\ell_{i})$ representing stake, uptime, reputation score, and latency score.

Stake bounds. Validator stakes are constrained: $s_{i}\in[S_{\min},S_{\max}]$ with $S_{\min}=5.000$ and $S_{\max}=50.000$ token units. The normalized stake factor is defined as:

Reward score. The multi-factor composite reward score for validator $i$ is:

with simplex constraint $\alpha+\beta+\gamma+\delta=1$ and default parameterization $(\alpha,\beta,\gamma,\delta)=(0.20;\;0.25;\;0.40;\;0.15)$.

Lagged reputation. The reputation factor $\text{Rep}(i)$ evolves throughout each epoch via increment, decay, and slashing (see Algorithm 1 and Section VIII.C). To prevent circular dependency between epoch $e$ selection results and epoch $e$ selection weights, FairWave introduces a temporal separation between observed and active reputations. Let $\text{Rep}_{\text{final}}(i,e)$ denote the final reputation value of validator $i$ at epoch closure (i.e., after all increments, decay, and slashing throughout epoch $e$ have been applied). Then the active reputation used for $R(i)$ computation at epoch $e$ is:

In other words, the reputation value used in $W_{\text{rew}}$ at epoch $e$ is the value frozen at epoch $e-1$ closure, and reputation updates occurring throughout epoch $e$ only affect $W_{\text{rew}}$ at epoch $e+1$. This is analogous to delayed validator activation practice in some production PoS protocols but applied here specifically to the reputation component to ensure forward-causality property in the dual-channel architecture (see Proposition 1 in Section V).

Fig. 2 illustrates the lagged-reputation timeline and the SNAPSHOT phase that freezes $\mathrm{Rep}_{\mathrm{final}}(e)$ for use at epoch $e{+}1$.

Validator registry. The validator set $\mathcal{V}_{e}$ for epoch $e$ is determined atomically at epoch $e-1$ boundary via a seven-phase ceremony: FREEZE $\to$ SLASH $\to$ REGISTRY $\to$ SEED $\to$ SNAPSHOT $\to$ RESET $\to$ BARRIER. The set is locked per-epoch; no stake modifications occur intra-epoch.

Fig. 3 illustrates the atomically-executed seven-phase ceremony that establishes the next-epoch validator set and the frozen reputation snapshot.

For safety, the protocol maintains safety under full asynchrony. An anchor commit requires observing strong support from $\geq 2f+1$ vertices that are causally reachable—not from the delivery deadline.

For liveness, we assume partial synchrony (Dwork-Lynch-Stockmeyer [23]): there exists a Global Stabilization Time (GST) after which all messages are delivered within delay bound $\Delta$. Before GST, liveness is not guaranteed, but safety is maintained unconditionally.

Static Byzantine adversary. The adversary controls at most $f=\lfloor(n-1)/3\rfloor$ validators (by weighted stake). Byzantine validators can equivocate (produce conflicting vertices for the same round), selectively withhold messages, and coordinate timing within delay bound $\Delta$.

Sybil’s adversary. An attacker controlling aggregate stake $X$ can split into $K$ Sybil identities, each holding $X/K$ stake. We analyze selection gain $g(K)$ as the ratio of adversarial power after splitting to power before splitting.

Equivocation detection. Conflicting vertices from the same validator in the same round are detected with probability $p_{\text{detect}}=0.95$ via VRF proof validation and cross-referencing DAG parent sets. Augmentation with adversarial‑resilient detectors (e.g., HI‑XDR) is possible [24].

The composite reward score (Eq. 2) combines four factors: stake $S(i)$, uptime $U(i)$, reputation $\text{Rep}_{\text{active}}(i,e)$, and latency $L(i)$. Stake is external to consensus (locked in validator registry per epoch), and reputation is updated endogenously from commit results (see Algorithm 1 and Eq. 3). This subsection formalizes that the remaining two factors—uptime and latency—are deterministically derived from the finalized DAG structure, so all honest validators agree on their values without requiring an external oracle.

Notation. For epoch $e$, let $\mathcal{R}_{e}=\{r_{1},r_{2},\ldots,r_{R_{e}}\}$ denote the set of DAG rounds in that epoch, with $R_{e}=|\mathcal{R}_{e}|$. Let $\mathcal{D}_{e}$ denote the finalized DAG throughout epoch $e$, i.e., the sub-DAG all of whose vertices have entered the causal history of at least one committed anchor. For validator $i$, define $\mathcal{V}_{i}(e)=\{v\in\mathcal{D}_{e}:\text{proposer}(v)=i\}$ as the set of vertices proposed by $i$ and entered into the finalized DAG at epoch $e$.

In practice, DAG metrics can feed detectors (e.g., HI‑XDR) to flag suspicious validators [24].

Since in DAG-BFT each validator proposes at most one vertex per round, $|\mathcal{V}_{i}(e)|\leq R_{e}$ and $U(i,e)$ directly measures continuous participation: value $U=1$ indicates the validator is present every round throughout the epoch; value $U=0$ indicates the validator is perpetually offline.

Validators whose vertices are consistently referenced in the next round ($\delta=1$) obtain $L=1$; validators whose vertices are covered only after $\geq\ell_{\max}$ rounds obtain $L=0$.

Determinism and Byzantine tolerance. Equations (4)–(7) reference only (i) the finalized DAG structure $\mathcal{D}_{e}$ and (ii) the validator set $\mathcal{V}_{e}$ at that epoch. Both objects are already agreed upon via the DAG-BFT commit mechanism itself: every honest node running the protocol stores $\mathcal{D}_{e}$ that is identical (modulo causal history from the same committed anchor) and validator registry $\mathcal{V}_{e}$ identical (locked at epoch $e-1$ boundary). Consequently, functions $U(i,e)$ and $L(i,e)$ are deterministic functions of consensus state, and any two honest nodes computing them at epoch $e$ boundary will obtain bit-exact identical numerical values. Byzantine tolerance over $U$ and $L$ values is inherited from DAG-BFT: no new attack surface is introduced, because Byzantine validators claiming different $U$ or $L$ values would be detected via local recomputation by every honest node.

No external oracle required. Unlike quality-based reward schemes commonly implemented on production PoS protocols (e.g., Polkadot era points [25] or Solana skip-rate penalties), which partially rely on external aggregators or oracles to report availability and latency, FairWave requires no component outside the consensus protocol set. There is no separate committee, no trusted reporter, and no additional communication channel for agreeing on $U$ and $L$ values. Consequently, FairWave’s threat model for reward computation is identical to the threat model of the underlying DAG-BFT: if DAG consensus is safe under $f<n/3$, then reward score computation is also safe under the same assumption.

Three fundamental architectural decisions underpin FairWave: asynchronous security, DAG-based data dissemination, and VRF-based leader selection. We justify each in sequence.

Why asynchronous BFT, not partially synchronous BFT? Classical leader-based protocols (PBFT [11], HotStuff [10], and Tendermint [12]) depend on the Global Stabilization Time (GST) assumption: after an unknown time, all messages arrive within a known bound $\Delta$. Before GST, liveness is not guaranteed—if the network remains unstable, the protocol stalls until a timeout expires and a view change selects a new leader. On wide-area deployments with heterogeneous ISPs, transient partitions can persist for minutes, triggering cascading timeouts of many multiples of $\Delta$. Asynchronous BFT protocols, in contrast, guarantee safety and liveness under arbitrary message delays and require only eventual delivery.

FairWave inherits this asynchronous property through its DAG-BFT structure: when a VRF-selected anchor is unreachable, the protocol executes an instant wave skip with zero timeout delay, in contrast to partially synchronous protocols that block the entire timeout window ($\geq 8$ s in a typical Tendermint configuration). The safety property (agreement and validity) is a formal guarantee that follows from the $2f{+}1$ strong-support commit rule for any correct DAG-BFT protocol under $f<n/3$, and holds unconditionally; consequently, adversarial evaluation at Task F (Section VII-F) does not present safety as a differential claim, but instead focuses FairWave’s differentiation on the liveness-degradation curve around the Byzantine boundary.

Why DAG-based consensus, not a linear chain? In linear-chain BFT, a single leader proposes one block per round, creating a throughput bottleneck proportional to leader bandwidth. The DAG paradigm, pioneered by Narwhal+Tusk [7], separates data dissemination from ordering: all $N$ validators produce vertices in parallel each round, yielding $N\times$ data availability throughput. Consensus ordering is then applied retroactively by selecting anchor vertices and committing their causal history. This eliminates three pathologies of leader-based protocols: (i) single-leader bandwidth bottleneck, (ii) explicit multi-phase voting (DAG edges function as implicit votes), and (iii) view-change mechanism (replaced by costless wave skip). Empirically, DAG-BFT protocols achieve throughput scaling linearly with $N$ (see Fig. 18 in Section VII), whereas leader-BFT plateaus or degrades above $N=50$ due to $O(N^{2})$ message complexity.

Why VRF-based anchor selection? Deterministic leader schedules (round-robin or stake-proportional) are predictable: an adversary can target the next leader with denial-of-service attacks before their slot begins. Verifiable Random Functions (VRF, RFC 9381 ECVRF Edwards25519-SHA512-Elligator2) provide three properties that address this: (i) unpredictability—only the holder of the secret key can compute the VRF output, so no party can predict the anchor before the selection round; (ii) verifiability—every observer can verify the VRF proof against the public key, ensuring integrity without trusted setup; (iii) non-interactivity—each validator computes the racing key $k_{i}=-\ln(u_{i})/W_{\text{sel}}(i)$ independently, requiring no additional communication round. The exponential race mechanism ensures that selection is distributionally equivalent to weighted sampling proportional to $W_{\text{sel}}$, preserving the security guarantees of the dual-channel architecture. The marginal overhead is $+2$ ms commit latency versus Bullshark (Table V), an acceptable trade-off for DoS-resistant leader selection.

FairWave operates on a DAG-BFT wave protocol. Each wave consists of $r=3$ rounds. Vertices are cryptographically signed messages that reference $\geq 2f+1$ vertices from the previous round as parents. Anchors are selected per wave via weighted VRF sortition using $W_{\text{sel}}$. A Commit occurs when $2f+1$ support vertices referencing the anchor are observed.

Fig. 4 illustrates the DAG-wave and anchor-selection structure and the $2f{+}1$ strong-support commit condition.

Per-epoch metric computation. At each epoch boundary, after the seven-phase ceremony (FREEZE $\to$ SLASH $\to$ REGISTRY $\to$ SEED $\to$ SNAPSHOT $\to$ RESET $\to$ BARRIER) completes and the latest epoch DAG has been finalized, each node computes $U(i,e)$ and $L(i,e)$ for all $i\in\mathcal{V}_{e}$ locally using Eqs. (4)–(7). Since finalized DAG $\mathcal{D}_{e}$ is identical across all honest nodes (modulo causal history from committed anchors) and validator set $\mathcal{V}_{e}$ is atomically locked at epoch $e-1$ boundary, both metric values will be identical across all honest nodes without additional message exchange. The equivocation detection penalty (see Algorithm 1) modifies Rep—not $U$ or $L$—so $U$ and $L$ computation does not depend on slashing results and does not create cross-metric feedback paths. Consequently, weight vectors $W_{\text{sel}}$ and $W_{\text{rew}}$ used at epoch $e+1$ can be assembled trustlessly by each node at the end of epoch $e$, without additional aggregation steps, without a separate committee, and without an external oracle.

FairWave’s central architectural innovation is the explicit separation of consensus-critical selection from economic reward distribution via channels with opposite curvature with respect to stake:

Fig. 5 illustrates the dual-channel separation between selection and reward channels and their opposite curvature in stake.

Selection channel (operational decisions—anchor selection, critical-path participation) is amplified by quadratically-compressed stakes but without reputation contribution:

Define real-time performance score $P(i)=\alpha\,S(i)+\beta\,U(i)+\delta\,L(i)$ so that $W_{\text{sel}}(i)=P(i)\cdot S(i)^{2}$. With the default simplex constraint $(\alpha,\beta,\gamma,\delta)=(0.20;\,0.25;\,0.40;\,0.15)$, the fraction $\alpha+\beta+\delta=0.60$ of total weight mass remains in the selection channel, while fraction $\gamma=0.40$ is allocated exclusively to the reward channel. Weight $W_{\text{sel}}$ remains super-linear with respect to stake, amplified by a quadratic exponent on the compressed stake factor.

Reward channel (economic incentives—block reward distribution) retains the full multi-factor score:

with $\text{Rep}_{\text{active}}$ being the lagged reputation as defined in Eq. (3). This weight is sub-linear in stake via $S(i)=\sqrt{s_{i}/S_{\max}}$ and is bounded above by $R(i)\leq 1.0$ with a floor $(1-\alpha)$ for any validator maintaining perfect non-stake attributes.

Justification: removing Rep from the selection channel. In the initial formulation $W_{\text{sel}}=R\cdot S^{2}$ where $R$ included $\gamma\,\text{Rep}$, a one-step positive feedback loop arises: high $\text{Rep}(i)$ $\Rightarrow$ high $R(i)$ $\Rightarrow$ high $W_{\text{sel}}(i)$ $\Rightarrow$ increased anchor-selection frequency $\Rightarrow$ faster accumulation of active support $\Rightarrow$ higher $\text{Rep}(i)$ in the next epoch. This loop structurally shifts centralization from the stake dimension to the reputation dimension without resolving the core issue—selection power concentration on validators already dominant in previous epochs. By excluding Rep from $W_{\text{sel}}$ (Eq. 8), we break the direct causal path between epoch $e$ selection results and selection weights in the same epoch; the formal statement appears in Proposition 1 in Section V.

Reputation remains fully effective in the reward channel. Excluding Rep from $W_{\text{sel}}$ does not eliminate reputation’s role as a long-term honesty incentive. Reputation remains the largest component ($\gamma=0.40$) of $W_{\text{rew}}$, so validators who behave honestly over time still receive larger reward shares than validators who have only recently recovered from slashing. Consequently, the game-theoretic equilibrium for reputation farming remains below the critical threshold $\gamma_{\text{crit}}\approx 0.57$ (see Eq. 10): attackers creating low-cost identities solely to farm reputation still face a break-even at $\gamma_{\text{eff}}\approx 0.72$ when combined with equivocation slashing. The justification for $\gamma=0.40$ in Section IV.D therefore remains valid without modification for the reward channel.

This separation reinforces the dual-channel philosophy. FairWave’s architectural innovation is expressed as opposite curvature in stake across two distinct protocol functions. Eq. (8) reinforces—rather than weakens—this philosophy: the selection channel now puristically relies on measurable real-time performance (epoch-locked stake, DAG-derived uptime, DAG-derived latency—all verifiable bit-exact by any honest node at epoch boundary), while the reward channel integrates historical components (lagged reputation) reflecting longitudinal quality. This temporal separation—operational real-time for selection and historical lagged for reward—yields two guarantees that were previously in tension: (i) no epoch $e$ selection weight depends on epoch $e$ selection outcomes, so anchor computation is strictly forward-causal; and (ii) honesty incentives are preserved because reputation affects economic dimension (reward) without amplifying selection power.

Rationale. Super-linearity of the selection channel ensures that splitting a stake into $K$ Sybil identities reduces aggregate selection weight (Sybil gain $<1$, see Theorem 1). Simultaneously, reward-channel sub-linearity ensures high-quality small validators receive proportionally higher returns per unit stake invested, preventing plutocratic convergence.

Classic PoS protocols (Cosmos Tendermint, Algorand, and Ethereum 2.0 Casper-FFG) use stake-only weighting, producing two pathologies: (i) reward concentration proportional to capital and (ii) no long-term disincentive for dishonest behavior beyond slashing. FairWave’s multi-factor score $R(i)=\alpha S+\beta U+\gamma\text{Rep}+\delta L$ introduces three non-stake factors that are non-fungible and not purchasable—they must be earned through sustained honest participation, combining skin-in-the-game (PoS) with bona fide work (analogous to PoW/PoSpace).

$\alpha=0.20$ (stake): Anti-Sybil floor. With the revision in Eq. 8 that excludes reputation from $W_{\text{sel}}$, the closed-form Sybil gain (Eq. 13) converges at $x=1$ to $g\to(\beta+\delta)/(\alpha+\beta+\delta)=(1-\gamma-\alpha)/(1-\gamma)$ as $K\to\infty$. Thus, an attacker splitting into infinitely many Sybils loses at least a fraction $\alpha/(1-\gamma)$ of the selection share. For $(\alpha,\gamma)=(0.20,\;0.40)$, the infinite-Sybil loss is $0.20/0.60\approx 33.3\%$; equivalently, an adversary must commit $\approx 3.0\times$ the honest stake budget to recover the lost selection share, making splitting economically unattractive. The safe range for $\alpha$ is $[0.10,0.30]$: below $0.10$ the anti-Sybil floor degrades unacceptably, while above $0.30$ the protocol approaches Pure-PoS whale dominance. The default $\alpha=0.20$ is a conservative midpoint within this range.

$\gamma=0.40$ (reputation): Longitudinal honesty reward. Reputation is the only factor requiring historical accumulation—it cannot be transferred, bought, or obtained instantly. Assigning $\gamma$ as the largest weight binds rewards to longitudinal identity, providing multi-step Sybil resistance beyond the selection channel. This choice mirrors reputation weightings like Hedera Hashgraph [26] ($\approx 40\%$) and Polkadot Era Points [25]. Trade-off: each $+0.10$ in $\gamma$ reduces farming resistance by approximately $0.07$ (slope $-0.70$ from Eq. 10); the default $\gamma=0.40$ maintains farming resistance $\geq 0.50$ when combined with equivocation slashing (penalty $-0.30$ per detection).

$\beta=0.25$ (uptime): Continuous availability. Uptime is a real-time observable that is expensive to spoof without equivalent operational cost. DAG-BFT protocols require continuous vertex propagation (unlike leader-BFT, where nodes can be temporarily offline), making uptime more critical. Empirical sweeps show the fairness objective is relatively flat for $\beta\in[0.10,\;0.40]$, confirming $\beta=0.25$ lies in a robust region. Industry norms (Solana skip-rate penalties approximately $10$–$20\%$, Polkadot Era Points approximately $20\%$) support this calibration.

$\delta=0.15$ (latency): Infrastructure tie-breaker. Latency is the factor most easily optimized via infrastructure investment (dedicated hardware, co-location, and peering). A large $\delta$ would induce an infrastructure arms race favoring well-capitalized validators—contrary to fairness goals. A small weight makes latency a tie-breaker among validators comparable on other factors, sufficient to disincentivize very slow nodes (P99 $>500$ ms) without driving extreme optimization. Empirical sweeps show that $\delta\geq 0.20$ begins to reward such infrastructure investment disproportionately, eroding the fairness gain; $\delta=0.15$ is the identified sweet spot that retains the tie-breaker role without favoring well-capitalized validators.

Literature comparison. Table II summarises multi-factor approaches in production protocols, confirming FairWave’s parameterization aligns with industry precedent while providing formal guarantees absent in prior work.

Ablation analysis. To demonstrate each factor is necessary (not merely convenient), Table III reports the consequences of setting each weight to zero while evenly redistributing its mass to the remaining factors.

Removing stake ($\alpha=0$) eliminates the anti-Sybil floor entirely—an attacker splitting into $K$ identities suffers no penalty, making the protocol trivially exploitable. Removing reputation ($\gamma=0$) removes the farming attack vector but simultaneously eliminates the incentive for longitudinal honesty: validators lack a long-term stake in maintaining exemplary behavior, reducing the protocol to a transient metric-based system. Removing uptime ($\beta=0$) permits ”zombie validators” (nodes that are perpetually offline) to accumulate rewards via reputation alone; empirically, the Gini coefficient increases and the protocol tolerates roughly 15% more inactive validators before liveness degrades. Removing latency ($\delta=0$) eliminates differentiation between geo-diverse and co-located validators, reducing incentives for network quality; while the direct fairness impact is small, throughput sensitivity increases (One-At-a-Time elasticity of link latency to throughput: $|e|=1.17$).

Robustness over optimality. The default parameter vector $(0.20;\;0.25;\;0.40;\;0.15)$ ranks 576/819 in the constrained feasible set—deliberately not Pareto-optimal. This conservative choice is motivated by robustness to model misspecification: the default simultaneously satisfies all security constraints across three evaluation regimes (homogeneous, heterogeneous, adversarial), whereas the Pareto-optimal point ($\alpha=0.10,\;\gamma=0.00,\;\delta=0.45$) assumes adversarial farming as the primary concern. Under regime uncertainty—where the deployment environment may shift between cooperative and adversarial periods—the parameter vector that satisfies all constraints with margin is preferred over one that optimizes a single objective.

Threshold farming (game-theoretic). The closed-form farming resistance satisfies $\text{MW}_{\text{farm}}=\alpha\cdot S_{r}+(1-\alpha)-0.70\gamma$, where $S_{r}=\sqrt{S_{\min}/S_{\max}}$. Requiring $\text{MW}_{\text{farm}}\geq 0.50$ (the minimum threshold for rational, honest behavior) yields the critical bound:

For $\gamma>0.57$, a rational adversary can profitably farm reputation to dominate reward share. The default $\gamma=0.40$ provides a safety margin of 30% below this critical threshold. Combined with equivocation slashing ($-0.30$ per detection, recovery half-life $\approx 69$ epochs), the effective break-even farming shifts further to $\gamma_{\text{eff}}\approx 0.72$, confirming operational safety.

Principled criteria for $\beta$ and $\delta$. Rather than arbitrary selection, $\beta$ and $\delta$ are constrained by two conditions: (i) the simplex constraint $\beta+\delta=1-\alpha-\gamma=0.40$ and (ii) the principle of asymmetry of controllability: $\beta>\delta$ because uptime is a binary operational commitment (maintain a server $\to$ $U\approx 1$), while latency partially depends on uncontrollable factors (geographic distance, ISP routing). Assigning higher weight to the more controllable factor ensures validators can improve their score through effort rather than capital. The ratio $\beta/\delta=5/3$ reflects that uptime is roughly $5/3\times$ more controllable than latency in typical cloud deployments.

Anchor selection uses exponential racing via a Verifiable Random Function (VRF, RFC 9381 ECVRF Edwards25519-SHA512-Elligator2): each validator $i$ computes the racing key $k_{i}=-\ln(u_{i})/W_{\text{sel}}(i)$ where $u_{i}\in(0,1)$ is derived from the VRF output. The validator with the minimum $k_{i}$ is selected as the anchor. This mechanism is distributionally equivalent to weighted sampling proportional to $W_{\text{sel}}$ while providing unpredictability and non-interactivity.

Algorithm 1 presents FairWave protocol logic in full, covering weight computation, VRF-based anchor selection, support gathering, equivocation detection, commit decision, reward distribution, and reputation update.

Under homogeneous performance ($U=\text{Rep}=L=1$, Regime A), the reward score reduces to $R(i)=\alpha\cdot S(i)+(1-\alpha)$. The minimum-to-maximum reward ratio admits closed form:

On default parameters: $R_{\min}/R_{\max}=0.20\cdot\sqrt{0.1}+0.80=0.863$. This is validated bit-exact ($\epsilon=0.0$) against 99 empirical evaluation points (Fig. 6).

Consider an attacker controlling normalized stake fraction $x\in(0,1]$ splitting into $K$ Sybil identities. Under Regime A ($U=L=1$ and without reputation contribution to $W_{\text{sel}}$ per Eq. 8), the real-time performance score becomes $P=\alpha S+(\beta+\delta)$, so the aggregate selection weight of $K$ Sybils simplifies to:

Weight without split is $W_{\text{sel}}^{(1)}=\alpha x^{3/2}+(\beta+\delta)\cdot x$. Selection gain is:

Numerical example. For $K=100$, $x=1$, $(\alpha,\beta,\delta)=(0.20,\;0.25,\;0.15)$: numerator $=0.20/10+0.40=0.42$, denominator $=0.20+0.40=0.60$, hence $g_{\text{sel}}(100)=0.70$. An attacker loses 30% of selection share by splitting into 100 Sybils—strictly stronger than $g=0.82$ for the earlier formulation that included Rep in $W_{\text{sel}}$. Empirical comparisons with other reward rules are shown in Fig. 7.

Under the FairWave reward rule, the stake growth rate for validator $i$ is given by $ds_{i}/dt=\text{REWARD\_TOTAL}\cdot R(i)/\sum_{j}R(j)$. Since $R(i)$ saturates as $s_{i}\to S_{\max}$, all high-quality validators converge to a similar reward share:

Corollary. Epoch $e$ anchor selection results can only affect $W_{\text{sel}}$ at epochs $\geq e+2$, with a minimum two-epoch delay arising from (i) reputation and DAG metric updates at the close of epoch $e$, and (ii) the additional one-epoch lag in the use of $\text{Rep}_{\text{active}}$. This eliminates intra-epoch feedback loops and removes the structural vulnerability where validators frequently selected as anchors in epoch $e$ obtain an additional selection advantage in the same epoch—a vulnerability present in the earlier formulation $W_{\text{sel}}=R\cdot S^{2}$ when $R$ included $\gamma\,\text{Rep}$.

The parameter space $(\alpha,\beta,\gamma,\delta)$ is systematically explored via 1,407 evaluation points on the 4-D simplex (Fig. 31(a)). The Pareto frontier (Fig. 32) of Min/Whale ratio versus reputation farming resistance identifies a feasible region bounded by $\alpha\geq 0.10$ (Sybil safety floor) and farming-resistance $\geq 0.50$.

The evaluation framework is implemented in Python 3.12 with minimal dependencies (NumPy only for Sobol sampling). The codebase consists of nine analytical modules, an RFC 9381 ECVRF-conformant VRF module (Edwards25519-SHA512-Elligator2), and a post-quantum cryptography overhead benchmark module.

Implementation is validated by 251 deterministic unit tests plus 96 property-based Hypothesis subtests (total 347), all reproducible via fixed seed (0xC0FFEE).

Nine protocols are evaluated under identical parametric assumptions: DAG-BFT: Narwhal+Tusk (3-wave), Bullshark (2-wave), Mysticeti (1-wave), FairWave (2-wave + VRF). Leader-BFT: PBFT (3-phase), Tendermint (3-phase), HotStuff (4-phase), HotStuff-2 (2-phase). PoS-1: Algorand (3-phase VRF sortition). Protocol representation, the baseline systems are modeled according to their published protocol spesifications and documented design characteristics. The purpose of the evaluation is not to reproduce implementation-spesific performance results but to analyze and compare consensus level properties within a standarized experimental setting. To ensure comparability, all protocol models are assessed under identical assumptions regarding network conditions,workload generation, and adversarial behavior. Consequently, the reported results should be interpretedas comparative protocol-level evidence under standarized experimental conditions rather than implementation-level performance benchmarks.

Performance characteristics of all compared protocols are presented in Section VII (Fig. 17).

Multi-metric sensitivity to weight parameters is comprehensively characterized via $\alpha$ sweep (Fig. 30 in Section VII), simplex landscape (Figs. 31(a), Figs. 31(b)), and Pareto frontier (Fig. 32) in Appendix APPENDIX.

Closed-form expressions for all four reward rules are validated against numerical simulation across 1,407 parameter cells. Maximum observed absolute error: $\epsilon_{\max}=0.0$ (machine precision). Reward histograms (Fig. 8) visualize distributional differences across rules.

$10,000$ waves are simulated with $N=50$ validators across five heterogeneous profiles. Fig. 9 shows the most frequently selected top-$K$ anchors. Law-of-Large-Numbers convergence at rate $O(1/\sqrt{T})$ and breakdown of selection share by validator profile are presented in Appendix APPENDIX.

FairWave achieves $3.3\times$ Gini coefficient reduction relative to Pure-PoS while maintaining quality differentiation—unlike LSW, which achieves the lowest Gini (0.053) but cannot distinguish high-quality from low-quality validators. Lorenz curves (Fig. 10), Gini comparison (Fig. 11), cumulative reward trajectories (Fig. 12), then, for ROI analysis (Fig. 13) provide comprehensive visualization.

Four adversarial scenarios were evaluated. Figs.14(a) and Figs.14(b) present single-whale concentration analyses; Fig.15 visualizes the cartel capture threshold; Fig.16 plots the power amplification curve.

FairWave commit latency (82.9 ms) is within 2.5% of Bullshark (80.9 ms), with the marginal overhead attributable to VRF-based anchor unpredictability. Throughput is effectively identical across the DAG-BFT family due to parallel vertex production. The latency CDF (Fig. 19) and finality scaling (Fig. 20) complete the performance characterization.

This subsection reports results from 420,000 adversarial Monte Carlo rounds executed over 84 parameter cells. To avoid conflating formal guarantees with empirical differential claims, we separate two types of claims commonly combined in BFT evaluation: (i) safety — a formal property inherited from a correct protocol design; and (ii) liveness — an empirical, differential property that depends on protocol behavior near the Byzantine boundary.

Safety claim (formal, inherited from design). FairWave’s safety properties—agreement (no two honest validators commit different anchors in the same wave) and validity (committed anchors are always proposed by validators in $\mathcal{V}_{e}$)—are a formal consequence of the $2f+1$ strong-support commit rule for DAG-BFT correctness under $f<n/3$. This property holds unconditionally for any correct protocol in this family (including Bullshark, Narwhal+Tusk, Mysticeti, and Tendermint) and does not depend on FairWave’s parameterization $(\alpha,\beta,\gamma,\delta)$ or the dual-channel architecture. Consequently, the observation ”420,000 rounds without a safety violation” is consistent with—but does not prove—the superiority of FairWave: identical results are expected for any correct baseline protocol under the same adversarial scenario and $f<n/3$. We therefore do not present the absence of safety violations as a differential achievement; the value of the experiment is to ensure no regressions relative to known-correct BFT baselines and to validate the reference implementation.

Liveness claim (empirical, candidate differential). The candidate differential claim of FairWave in Task F is the characteristic shape of the liveness-degradation curve near the theoretical Byzantine boundary $b^{*}=1/3$. Fig. 21 shows commit rate as a function of Byzantine fraction $b$ for $N\in\{10,50,100\}$. Two measurement points obtained directly from simulation are a commit rate of $99.6\%$ at $b=0.20$ (safe regime, well inside the boundary) and $71.1\%$ at $b=0.33$ (just beyond the theoretical threshold). Between these verified points the curve is monotone-continuous without a discontinuous cliff; Table VI summarizes reference sweep points for the default configuration ($N=50$, $\Delta=100$ ms, zero partition). We label this claim “candidate differential” because the structural argument for the shape (developed below) is sound, but a direct head-to-head sweep against leader-BFT baselines under identical conditions remains future work (Section IX).

Three structural characteristics distinguish this curve from those expected of classic leader-BFT protocols (Tendermint, HotStuff):

• •

  (i) Absence of a discontinuous cliff at the operational boundary. FairWave’s curve decreases monotonically-continuously from $99.6\%$ to $71.1\%$ as $b$ increases from $0.20$ to $0.33$, without the sharp drop expected of view-change-driven protocols when a Byzantine leader and timeout windows cause cascading stalls.

• •

  (ii) Lack of a cascade-timeout mechanism. FairWave uses a cost-free wave-skip (Section IV-A) that advances immediately to the next wave when an anchor cannot be committed, whereas leader-BFT requires a view change with expanding timeout windows that can stall the protocol for many multiples of $\Delta$ as the leader-Byzantine fraction increases.

• •

  (iii) Latency stability in the safe regime. Commit latency percentiles (P50, P95, P99; Fig. 23) remain stable up to $b\approx 0.25$ and then increase sharply as the protocol approaches the theoretical liveness boundary.

Near-threshold analysis (qualitative). The structural root of the three characteristics above is architectural: FairWave separates data dissemination from ordering and replaces view-change with exponential-racing VRF-based anchor selection. Thus, when a VRF-selected anchor happens to be controlled by the adversary, the cost to advance to the next wave is a single round (a fresh VRF computation), not a full timeout window. In leader-BFT protocols, by contrast, each failed view-change triggers exponential increases in the subsequent timeout (exponential backoff) to guarantee liveness under partial synchrony; the practical effect is a more rapid decline in commit rate—and a steeper profile—as the leader-Byzantine fraction increases. This differentiation makes the shape of the liveness-degradation curve a differential property FairWave can claim; the exact magnitude of the difference, including the onset point $b^{\dagger}=\min\{b:\text{commit rate}(b)\leq 0.95\}$ for each protocol, will be reported after a finer-grained $b$ sweep against leader-BFT baselines (Section IX).

Supporting validation. Fig. 22 maps the two-dimensional fault space (Byzantine $\times$ offline) and confirms the combined bound $\text{byz}+\text{offline}\leq 1/3$, consistent with theoretical BFT predictions. Fig. 23 characterizes the latency distribution under adversary conditions, and Fig. 24 demonstrates partition-recovery dynamics: after a 5-round partition event, cumulative commits return immediately to the ideal rate of 1 commit/round, confirming the absence of the permanent stalls typical of leader-BFT designs.

$50,000$ epochs with full stake reinvestment reveal long-term behavior of concentration metrics (Fig. 25(a)–26).

Three layers of evidence across $20,520$ cells. Figs. 27(a) shows selection gain versus split factor; Figs. 27(b) validates closed-form prediction; Fig. 28 presents economic cost-benefit analysis; and Fig. 29 evaluates combined Sybil+Byzantine threats.

Multi-metric sensitivity to stake weight $\alpha$ (Fig. 30) confirms that default parameterization operates in favorable region. Complete parameter space exploration—including objective landscape, farming resistance, and Pareto frontier—is presented in Appendix APPENDIX (Fig. 31(a)–32).

Three complementary analyses characterize parametric robustness: OAT elasticity, variance decomposition via Sobol indices, and combined perturbation robustness. All input elasticities for success_rate satisfy $|e|<0.25$, indicating that a $10\%$ perturbation on a single input yields output variation $<2.5\%$. Sobol analysis reveals throughput is dominated by link_latency ($S_{Ti}=1.0$), while security metrics are dominated by interactions. Under a combined $\pm 25\%$ perturbation on all eight inputs, the CV success rate is 5.2% (highly robust). Complete sensitivity visualization presented in Appendix APPENDIX (Fig. 33(a)–34(b)).

The elegant algebra of dual-channel decoupling emerges from applying opposite curvature in stake across distinct protocol functions: super-linear selection $\Rightarrow$ Sybil resistance ($g<1$); sub-linear reward $\Rightarrow$ fairness, bounded HHI; shared dependence on $R$ $\Rightarrow$ both channels reward quality. This decoupling avoids the old impossibility: previously, super-linear weights implied plutocracy, while sub-linear weights implied Sybil vulnerability.

Fig. 5 summarizes the dual-channel separation between selection and reward channels motivating the architectural claims in this section.

FairWave incurs a VRF overhead of $+2$ ms per anchor round relative to Bullshark. Commit latency is $82.9$ ms versus $40.5$ ms for Mysticeti—$2\times$ factor attributed to the 2-wave commit structure and VRF computation. Fig. 4 visualizes the DAG wave and anchor/commit structure that underpins the selection channel. Post-quantum migration overhead (ML-DSA-44: $+5$ ms; Hybrid Ed25519+ML-DSA: $+7$ ms) remains acceptable for $>99\%$ of use cases.

Reputation factor $\text{Rep}(i)$ evolves via three operations: Fig. 2 and 3 illustrate the lagged-reputation timing and the per-epoch seven-phase ceremony that realize the forward-causal reputation design described above. (i) increment of $+0.01$ per wave commit on active support, (ii) multiplicative decay of $\times 0.99$ per epoch boundary (half-life $\approx 69$ epochs $\approx 1.9$ hours), and (iii) punitive slashing ($-0.30$) on equivocation detection. Reputation farming resistance under adversarial conditions is characterized in (Figs. 31(b)).

Reward channel in isolation (R-only) exhibits Sybil gain $>1$ (Fig. 35(a)), due to floor $(1-\alpha)$ in $R$ for each Sybil identity. However, realized reward is proportional to anchor selection frequency (which uses $W_{\text{sel}}$), so realized reward inherits selection channel resistance.