Quorum Signed Checkpoints For Bft Chain Exporters
Written by
Cipher Stone
I got annoyed the first time I tried to build a “blockchain exporter” that writes ledger data into a database: the exporter would sometimes ingest the same block twice, or worse, ingest a block that later got replaced during consensus. That’s not a database problem—it’s a consensus-finality problem.
So I built a small infrastructure pattern I now use in multiple projects: quorum-signed checkpoints for a BFT (Byzantine Fault Tolerant) blockchain exporter. The idea is to only advance the exporter’s “sync cursor” when a quorum of validator signatures attests that a checkpoint is final.
Below is what I learned building it end-to-end, including a tiny working prototype in code.
The concrete problem: “cursor drift” during reorgs
Most chains have a notion of finality: after some point, the network agrees a block won’t be replaced. In practice, though, many exporter pipelines still advance based on “latest seen block.”
That creates cursor drift:
- exporter sees block
N, writes it, advances cursor toN - consensus later reorgs, replacing
NwithN' - exporter now has inconsistent data unless it rolls back (often painful)
The fix is to move the cursor only at final checkpoints.
A niche mechanism: quorum-signed checkpoint certificates
In BFT systems, validators sign attestations about the chain state. I used a simple certificate rule:
- A checkpoint is
(height, block_hash, exporter_domain) - Each validator produces a signature over that checkpoint
- The exporter only advances after it collects at least
t+1signatures wheret = floor((N-1)/3)forNvalidators (a common BFT threshold)
I also included an exporter_domain string (like "my-exporter/v1") in the signed payload. That prevents signature replay across different indexing pipelines.
Key detail I didn’t expect to matter until I debugged it once: the signed payload must be canonical (stable byte encoding), otherwise two honest validators could sign different byte sequences for the “same” checkpoint.
What “BFT threshold” means in code
For BFT with up to t faulty validators out of N, safety is typically ensured when you can collect at least t+1 signatures for an action that must not conflict. For decision finality, systems often use more specific rules (e.g., 2t+1). The prototype below uses the t+1 idea to keep the demo small and focused on the exporter-cursor logic.
Working prototype: checkpoint signing + exporter cursor advancement
This prototype does three things:
- Creates
Nvalidators with Ed25519 keys. - Lets a subset of them sign a checkpoint.
- Verifies the signatures and advances the exporter cursor only if the threshold is met.
1) The complete code (single file)
# quorum_checkpoint_exporter.py # Python 3.11+ # pip install cryptography from dataclasses import dataclass from typing import Dict, List, Tuple import hashlib from cryptography.hazmat.primitives.asymmetric.ed25519 import ( Ed25519PrivateKey, Ed25519PublicKey ) from cryptography.hazmat.primitives import serialization def sha256(data: bytes) -> bytes: return hashlib.sha256(data).digest() def canonical_checkpoint_payload( height: int, block_hash_hex: str, exporter_domain: str ) -> bytes: """ Canonical byte representation of a checkpoint. This prevents "same checkpoint, different bytes" signature mismatches. """ if height < 0: raise ValueError("height must be non-negative") # Fixed-width height encoding (8 bytes big-endian) height_bytes = height.to_bytes(8, byteorder="big", signed=False) domain_bytes = exporter_domain.encode("utf-8") block_hash_bytes = bytes.fromhex(block_hash_hex) if len(block_hash_bytes) != 32: raise ValueError("block_hash_hex must be 32 bytes (64 hex chars)") # Simple canonical concatenation with length prefixes for variable fields return ( b"checkpoint/v1" + height_bytes + len(domain_bytes).to_bytes(4, "big") + domain_bytes + block_hash_bytes ) @dataclass(frozen=True) class Checkpoint: height: int block_hash_hex: str exporter_domain: str def message_to_sign(self) -> bytes: payload = canonical_checkpoint_payload( self.height, self.block_hash_hex, self.exporter_domain ) # Most signature schemes sign the raw message; in practice you might sign the hash. # I hash it here to keep message size small and consistent. return sha256(payload) @dataclass(frozen=True) class Signature: validator_id: str sig_bytes: bytes # raw signature class Validator: def __init__(self, validator_id: str): self.validator_id = validator_id self._sk = Ed25519PrivateKey.generate() self._pk = self._sk.public_key() @property def public_key(self) -> Ed25519PublicKey: return self._pk def sign_checkpoint(self, cp: Checkpoint) -> Signature: msg = cp.message_to_sign() sig = self._sk.sign(msg) return Signature(self.validator_id, sig) def verify_checkpoint_certificate( cp: Checkpoint, signatures: List[Signature], validator_pks: Dict[str, Ed25519PublicKey], required_count: int, ) -> bool: """ Returns True if signatures satisfy: - each signature verifies for the message - there are at least required_count distinct validator signatures """ msg = cp.message_to_sign() seen = set() valid_count = 0 for s in signatures: if s.validator_id in seen: continue # ignore duplicates pk = validator_pks.get(s.validator_id) if pk is None: continue # unknown validator id try: pk.verify(s.sig_bytes, msg) except Exception: continue seen.add(s.validator_id) valid_count += 1 if valid_count >= required_count: return True return False class ExporterCursor: def __init__(self): self.current_height = -1 self.current_block_hash_hex = None def advance(self, cp: Checkpoint): if cp.height <= self.current_height: raise ValueError("cannot move cursor backwards or to same height") self.current_height = cp.height self.current_block_hash_hex = cp.block_hash_hex def main(): # ---- Setup validators (N=4 for a tiny demo) ---- N = 4 t = (N - 1) // 3 required = t + 1 # demo threshold validators = [Validator(f"v{i}") for i in range(N)] validator_pks = {v.validator_id: v.public_key for v in validators} domain = "my-exporter/v1" # ---- Two candidate checkpoints to show reorg safety ---- # Imagine height 10 has block hash A, but later it becomes hash B. cp_a = Checkpoint(height=10, block_hash_hex="aa" * 32, exporter_domain=domain) cp_b = Checkpoint(height=10, block_hash_hex="bb" * 32, exporter_domain=domain) # ---- Simulate signatures for cp_a (enough to pass) ---- sigs_a = [validators[0].sign_checkpoint(cp_a), validators[1].sign_checkpoint(cp_a)] # With N=4 => t=1 => required=2, so this should pass. ok_a = verify_checkpoint_certificate(cp_a, sigs_a, validator_pks, required) print("Certificate for cp_a valid?", ok_a) cursor = ExporterCursor() if ok_a: cursor.advance(cp_a) print(f"Cursor advanced to height={cursor.current_height} hash={cursor.current_block_hash_hex}") # ---- Now simulate a conflicting checkpoint cp_b at the same height ---- # Suppose exporter mistakenly tries to advance again, but certificate doesn't have enough sigs. sigs_b = [validators[2].sign_checkpoint(cp_b)] # only 1 signature ok_b = verify_checkpoint_certificate(cp_b, sigs_b, validator_pks, required) print("Certificate for cp_b valid?", ok_b) if ok_b: # This branch won't run in this demo. cursor.advance(cp_b) print(f"Final cursor height={cursor.current_height} hash={cursor.current_block_hash_hex}") if __name__ == "__main__": main()
2) Run it
python quorum_checkpoint_exporter.py
You should see output like:
Certificate for cp_a valid? True- cursor advances to the checkpoint hash for
cp_a Certificate for cp_b valid? False- final cursor remains unchanged
This is exactly the “don’t ingest reorged data” behavior you want.
Step-by-step: why each block exists
Canonical payload encoding
The function canonical_checkpoint_payload() creates stable bytes:
- a version tag:
b"checkpoint/v1" - fixed-width height:
8 bytes big-endian - length-prefixed
exporter_domain - 32-byte
block_hash
I learned the hard way that if you accidentally sign a non-canonical encoding (like JSON without strict ordering), signature verification becomes flaky across implementations.
Signing the hash, not the long message
Checkpoint.message_to_sign() hashes the canonical payload with SHA-256. It keeps signature input small and consistent.
Verification counts distinct validators
verify_checkpoint_certificate():
- checks each signature against the checkpoint message
- de-duplicates by
validator_id - returns
Trueoncevalid_countreachesrequired_count
This is important: without distinct counting, an attacker could flood duplicates (in real systems) and trick naive verifiers.
Cursor advances only after a certificate
ExporterCursor.advance() only allows moving forward (height monotonic). When combined with certificate verification, this prevents cursor drift during reorgs.
How this maps onto real blockchain infrastructure
In a production pipeline, the exporter would typically:
- Subscribe to validator checkpoint attestations (or consensus events).
- Build a certificate for each checkpoint height.
- Verify signatures locally (or trust a verifier service).
- Atomically:
- write ledger data for that checkpoint
- update the exporter cursor in the database
- Ignore non-final or conflicting checkpoints
One thing I found critical in practice: the exporter cursor update and the data ingestion must be in the same transaction boundary (or at least idempotent). Certificates decide when you should advance; transactional storage decides what you persist reliably.
Conclusion
By implementing quorum-signed checkpoints with canonical payloads and an explicit BFT-style signature threshold, I eliminated reorg-driven cursor drift in my exporter pipeline. The key lessons were simple but powerful: sign a canonical checkpoint (including an exporter domain), verify a distinct-validator certificate before advancing, and keep cursor updates monotonic and atomic with ingestion.