Within a few months of each other, five independent teams published consensus protocols that all made the same deliberate trade: reduce Byzantine fault tolerance from ~33% to ~20% in exchange for single round finalization. The protocols were Minimmit (Commonware), Alpenglow (Anza Research / Solana), ChonkyBFT (Matter Labs), Kudzu (Offchain Labs), and Hydrangea (Supra/Espresso).
The convergence was not coincidental. It traced back to a 2006 result called FaB Paxos (Martin & Alvisi), which proved that finalization in a single communication round requires at least 5f + 1 replicas where f is the number of Byzantine faults tolerated. If you want to tolerate f = 20% of n validators, you need 80% of validators to vote to finalize. If you want to tolerate f = 33%, you cannot finalize in one round at all. The math is unambiguous.
The 2025 wave represents the community collectively deciding: 20% is enough, and the speed is worth it.
Of the five protocols, two are most instructive to study side by side: Minimmit and Alpenglow. They share the same theoretical foundation but diverge sharply in design philosophy, and that divergence reveals the essential tension in modern consensus engineering.
Minimmit: the minimal machine
Minimmit, published by Patrick O'Grady and Brendan Chou at Commonware on June 24, 2025 (and later accepted to Financial Cryptography 2026), is a study in radical simplicity. Its central insight is that view advancement and finalization do not need the same quorum size.
The protocol uses two thresholds:
L quorum (~40%, or n − 3f): sufficient to advance to the next view, producing a notarization or nullification certificate
Q quorum (~80%, or n − f): required to actually finalize a block
Because leaders only need 40% agreement to move forward, they can begin proposing the next block long before the current one is finalized. Blocks arrive faster than they finalize a deliberate pipeline effect that yields claimed block times of 50–130ms and finality around 100–250ms depending on validator topology.
The protocol's safety mechanism is elegant: a "nullify by contradiction" rule that allows replicas to retract their notarization votes when they can prove cryptographically, from conflicting certificates that finalization is impossible. This prevents a block from being simultaneously finalized and nullified, even under adversarial conditions.
Crucially, Minimmit has no slow path. If the 80% Q quorum cannot be reached, the chain stalls rather than falling back to a slower finalization mechanism. This is not an oversight it is a conscious design choice to keep the protocol minimal and analyzable.
Alpenglow: the full stack rewrite
Alpenglow, published by Quentin Kniep, Kobi Sliwinski, and Roger Wattenhofer at Anza Research on May 19, 2025, is a different kind of document entirely. It is not a consensus primitive it is a complete replacement of Solana's consensus stack, including data dissemination, storage, validator economics, and governance. The paper runs to over 50 pages and includes formal correctness proofs.
At its core, Alpenglow's finalization engine, Votor, runs two concurrent voting paths:
Both paths run simultaneously. Whichever threshold is reached first wins. This design achieves median finality of ~150ms a roughly 100x improvement over TowerBFT's 12.8 second deterministic finality.
The companion protocol, Rotor, replaces Solana's Turbine data dissemination layer with a single hop model using Reed Solomon erasure coding and Merkle authenticated shreds. Benchmarks show block data reaching 80% of stake within approximately 2 milliseconds. The paper also eliminates on chain vote transactions currently ~75% of all Solana transactions replacing them with off chain BLS aggregated signatures, reducing validator operating costs by roughly 20%.
Alpenglow passed community governance as SIMD 0326 with approximately 98.27% approval.
The quorum arithmetic that explains everything
To understand why these protocols make the trade offs they do, it helps to work through the numbers directly.
Under the classic 33% BFT model (n ≥ 3f + 1), a safe quorum requires 2f + 1 votes just over two thirds of validators. But two quorums of this size can overlap in as few as 1 validator, meaning you cannot guarantee that any two quorums share an honest node. This is why two communication rounds are needed: the second round establishes that at least one honest node witnessed the first.
Under the 20% BFT model (n ≥ 5f + 1), a single round finalization quorum requires 4f + 1 votes roughly 80% of validators. Now, any two such quorums must overlap in at least 3f + 1 nodes, which always includes at least one honest node. This overlap property is precisely what makes single round finalization safe: you can be certain that a finalizing quorum and any future quorum share honest validators who will prevent equivocation.
The cost is the reduced fault tolerance. With n = 1000 validators and f = 200 (20%), you are only safe if up to 200 validators are Byzantine. Under the 33% model, you could tolerate 333. In a large, permissionless validator set, those 133 extra tolerated faults matter.
The outage problem: where theory meets reality
The most significant practical difference between Minimmit and Alpenglow concerns what happens during partial network outages and the behavior is not symmetric.
Consider three scenarios:
Under 20% validators offline: Both protocols function normally. All quorums are reachable, finalization proceeds at full speed.
Between 20% and 60% validators offline: This is where the protocols diverge dramatically. Alpenglow's 60% slow path remains reachable the chain finalizes at reduced speed but continues functioning. Minimmit's 80% Q quorum cannot be reached, so no blocks are finalized. The L quorum of 40% may still be reachable, so leaders continue proposing blocks, but those blocks pile up unconfirmed. The chain is alive but useless.
Over 60% validators offline: Both chains halt completely.
The dangerous middle zone 20% to 60% outage is precisely the range most real world blockchain incidents occupy. Solana's historical outages were typically caused by 30–40% of validators being overwhelmed, partitioned, or flooded by junk transactions. Under Minimmit, those same incidents would have produced an unfinalized limbo state rather than a degraded but operational chain.
This asymmetry explains why Alpenglow's seemingly redundant slow path is actually essential engineering for a large public chain. Minimmit's decision to omit it is reasonable for a controlled deployment say, 20 validators in two data centers with monitored uptime guarantees but it represents a genuine liveness risk at Solana's scale.
The completeness gap
Beyond liveness, Minimmit and Alpenglow differ in what they actually ship.
Minimmit is a consensus specification. It answers: how do replicas agree on a sequence of blocks? It does not answer: how do blocks get distributed to validators? How do validators get compensated? How are equivocating validators slashed? What happens when a leader is offline?
Alpenglow answers all of these questions. Rotor handles data dissemination. The paper specifies validator admission tickets (1.6 SOL per epoch), reward structures, and slashing conditions. It includes formal proofs of safety and liveness. It defines how Firedancer Solana's high performance validator client interfaces with the new protocol.
This completeness gap is not a criticism of Minimmit. It is an architectural choice: Commonware positions Minimmit as a primitive that developers can compose with their own data dissemination, economics, and storage layers. This is genuinely powerful for teams building new chains from scratch. But it means that choosing Minimmit does not buy you a working system it buys you a well designed core around which you must build one.
What the 20% threshold buys you and what it costs
Both protocols are transparent about the security trade off they are asking validators and users to accept.
The speed gains are real and substantial. Going from TowerBFT's 12.8 second finality to Alpenglow's 150ms finality is not an incremental improvement it is a phase transition that enables use cases that were previously impossible: on chain real time auctions, DeFi strategies that respond to market conditions within a single block, gaming applications that require sub second state updates.
But the reduction from 33% to 20% fault tolerance is also real. Under Alpenglow's validator set distribution, the "halt line" the number of nodes that must be compromised or taken offline to stall the chain drops from approximately 22 large validators to approximately 9. This is a meaningfully smaller margin, particularly as Solana competes for institutional adoption where adversaries are better resourced and more sophisticated.
Neither protocol pretends otherwise. The honest position both papers take is: for most practical deployments, 20% is sufficient, and the speed gains justify the reduced margin. Whether that argument holds as blockchains grow in value and adversarial sophistication remains an open empirical question.
Looking forward
The 2025 consensus wave has set a new baseline for what high performance blockchain protocols look like. Single round finality at sub 200ms is now the design target, not the moonshot. The 5f + 1 model has moved from academic curiosity to production standard.
The practical implications are starting to materialize:
New chains will default to 20% BFT. Any team building a high performance L1 or application specific chain from 2025 onward would face a significant burden of justification for choosing a slower 33% BFT protocol. Minimmit and its peers have established that the speed gains are real and the security trade off is manageable.
Established chains face a harder choice. For Ethereum, migrating to a 20% BFT model would require fundamental changes to the validator set size, slashing conditions, and economic model. The conservatism is probably appropriate Ethereum secures hundreds of billions of dollars and its validator community has explicitly prioritized safety margins. But the performance gap with Alpenglow era chains will be difficult to ignore.
The composition problem becomes central. Minimmit's success as a primitive depends on the ecosystem around it. A great consensus algorithm embedded in a mediocre data dissemination layer will not outperform a well engineered full stack protocol like Alpenglow. The interesting design space is in how consensus primitives get composed with high quality networking, storage, and economic layers.
Formal verification is becoming table stakes. Alpenglow's inclusion of formal correctness proofs reflects a broader trend toward rigorous verification for production consensus protocols. The era of deploying consensus algorithms based on informal arguments and "obvious" correctness claims appears to be ending.
The convergence of five independent teams on the same core trade off in the same six month window is a strong signal that the field has found something real. The 20% threshold, the single round fast path, the BLS aggregated certificates these are not implementation details. They are the new foundations of high performance consensus, and the protocols built on top of them will define how blockchains operate for the next decade.
This post draws on the Minimmit blog post (Commonware, June 2025), the Alpenglow white paper v1.1 (Anza Research, July 2025), and analysis from Dankrad Feist's commentary on Minimmit.
