How Stellar consensus works (SCP & Federated Byzantine Agreement)
Most people learn blockchains through Bitcoin and Ethereum, so they assume consensus means one of two things: miners burning electricity, or validators staking money. Stellar does neither. It runs on the Stellar Consensus Protocol (SCP), designed by Stanford computer scientist David Mazières, and it reaches agreement through something genuinely different — overlapping circles of trust. This is the piece of Stellar most coverage either skips or gets wrong, so let’s do it properly.
The problem any consensus has to solve
A blockchain is just a shared ledger held by many independent computers. The hard part is getting all of them to agree on the same history — the same transactions, in the same order — even when some participants are slow, offline, or actively malicious. That last case is called the Byzantine problem, after a thought experiment about generals trying to coordinate while some of them are traitors.
Proof-of-work solves it by making history expensive to rewrite. Proof-of-stake solves it by making validators put money at risk. SCP solves it a third way: by letting each participant decide who it trusts, and building network-wide agreement out of those individual choices.
Quorum slices: the core idea
Here’s the one concept that unlocks everything else. Each validator chooses a quorum slice — the specific set of other validators it considers trustworthy enough that, if they agree on something, it will too.
Crucially, nobody hands out these lists. A bank running a validator might trust a few other banks, a couple of exchanges, and the Stellar Development Foundation’s nodes. Franklin Templeton, which runs a validator to protect its own tokenized fund, picks its own slice. There’s no central registry of “approved validators” — trust is expressed locally, by each node, in its own configuration.
From slices to quorums to one ledger
Individual slices overlap, and that overlap is where the magic happens. When you follow the chain of “I trust them, and they trust those, and those trust…” it converges into larger sets called quorums — groups large enough to make a decision stick. Because most participants in the real financial world end up trusting a similar core of reputable institutions, those quorums naturally knit together into a single agreed-upon ledger that everyone calls “the Stellar network.”
The non-negotiable rule that keeps it from breaking is quorum intersection: any two quorums must share at least one honest validator. As long as that’s true, two parts of the network can never confirm conflicting transactions, because the shared validator won’t vote for both.
How a value actually gets agreed: federated voting
Within that structure, agreeing on each ledger happens through federated voting, which moves in three steps. A validator first votes for a statement (say, “this set of transactions is next”). When it sees that the validators in its slices have also voted for it and none for anything contradictory, it moves to accept it. And once it confirms that a full quorum has accepted it, it confirms it — at which point the decision is final and irreversible. Stellar runs this for every ledger, closing one roughly every five seconds.
The defining choice: safety over liveness
Every distributed system faces a trade-off no one can escape: when things go wrong, do you keep running (liveness) or stop to stay correct (safety)? SCP picks safety, every time.
In plain terms: if Stellar’s validators can’t be sure they’re agreeing safely, the network halts — it stops closing ledgers and waits — rather than risk recording two conflicting histories. For a payments network settling real money, that’s the right call. A frozen ledger is an inconvenience; a forked one, where the same dollar exists in two places, is a catastrophe. As Stellar’s own engineers put it, a temporary halt is preferable to the permanent confusion of a fork.
When it actually broke
This isn’t theoretical. On May 15, 2019, the Stellar network halted for 67 minutes — the only time it has stopped in its entire history. The cause wasn’t a hack or a fork; it was the opposite of what most people assumed. A batch of newer validators had taken on more consensus responsibility than their reliability warranted, and when a couple of them dropped offline, the remaining nodes could no longer form quorums they trusted. The protocol did exactly what it’s designed to do: it stopped. Operators coordinated over public channels, tightened their quorum sets to highly available validators, and the network was closing ledgers again within the hour. SDF later summed it up bluntly — the network was, in effect, “too decentralized too fast.”
That single incident teaches more about SCP than any whitepaper: the system is robust against bad data but sensitive to how trust is configured.
So — is it actually decentralized?
This is the honest, contested part, and skipping it would be dishonest. In 2019, researchers at KAIST published a paper arguing Stellar’s quorum structure was “significantly centralized,” showing the network could be stalled by removing just two SDF-run nodes. Mazières’ rebuttal didn’t deny the centralization so much as reframe it: an FBA network that’s tuned for strong safety will, by mathematical necessity, have weaker liveness fault-tolerance — and that’s a deliberate trade, not a bug.
Where it stands today is a more institutional kind of decentralization than a proof-of-work chain. Around ninety validators run across the network, but the part that matters for safety is the Tier 1 core — roughly seven organizations whose nodes most others include in their quorum sets. As of early 2026 that set was SDF, Blockdaemon, SatoshiPay, Franklin Templeton, Lobstr, Creit, and Public Node — infrastructure specialists plus an asset issuer with real skin in the game. You can’t buy or stake your way into that group; the only path is for the other operators to trust you enough to add you to their slices.
There’s been real progress here, and it’s worth being precise about it. The network now tolerates roughly two of those organizations failing, which means no single operator — SDF very much included — can halt it alone. That’s a meaningful answer to the old “two SDF nodes can freeze everything” critique. The honest caveat: pull out three and consensus still stops, so this remains a concentrated core rather than a sprawling permissionless one — which is exactly why SDF set a target of widening the Tier 1 set toward thirteen organizations and a fault-tolerance of four. Judge it on its own terms: it isn’t anonymous, permissionless decentralization and isn’t trying to be. It’s a smaller set of accountable, identifiable institutions — which is precisely what makes it palatable to the regulated finance Stellar is built to serve.
Why this design fits Stellar
Step back and the logic is coherent. A network whose job is moving real money for banks and fund managers should prize finality and correctness over the romance of permissionless mining. It should settle in seconds, cost almost nothing, and never fork. It should be run by parties who can be reached and held responsible when something goes wrong. SCP delivers exactly that profile — and the trade-offs it makes are the trade-offs that mission requires.
Keep reading
- Back to the Stellar overview →
- Tokenization and RWAs on Stellar →
- Stablecoins on Stellar, explained →
I publish ongoing analysis on Stellar, XRP and Cosmos — subscribe here.
Informational only, not financial advice. Validator counts and Tier 1 figures shift over time; check stellarbeat.io for the live picture.
Sources: David Mazières / SCP whitepaper and the Stanford “safety vs. liveness” analysis, Stellar Development Foundation (May 15th network halt post-mortem, FAQ, quorum documentation), and the KAIST paper “Is Stellar As Secure As You Think?”
Last updated 2026-06