This paper addresses the failure of geo-replicated Byzantine fault-tolerant (BFT) consensus systems under catastrophic failures—e.g., datacenter-wide power outages or coordinated adversarial attacks. To this end, we propose Orion, a disaster-tolerant hierarchical BFT consensus protocol. Methodologically, Orion introduces (i) cluster-level commit certification and dynamic subgroup rotation—enabling safe consensus even when all nodes in the global consensus group are Byzantine; (ii) a modular design supporting compositional protocol construction and formal verification; and (iii) integration of HotStuff and Damysus to realize geographic partitioning, hierarchical consensus, and cross-cluster atomic commit. Evaluation shows that Orion achieves 20% higher throughput than GeoBFT while preserving strong safety guarantees. Its correctness is formally verified in Coq, and its crash and Byzantine fault tolerance is empirically validated.

Geo-replication provides disaster recovery after catastrophic accidental failures or attacks, such as fires, blackouts or denial-of-service attacks to a data center or region. Naturally distributed data structures, such as Blockchains, when well designed, are immune against such disruptions, but they also benefit from leveraging locality. In this work, we consolidate the performance of geo-replicated consensus by leveraging novel insights about hierarchical consensus and a construction methodology that allows creating novel protocols from existing building blocks. In particular we show that cluster confirmation, paired with subgroup rotation, allows protocols to safely operate through situations where all members of the global consensus group are Byzantine. We demonstrate our compositional construction by combining the recent HotStuff and Damysus protocols into a hierarchical geo-replicated blockchain with global durability guarantees. We present a compositionality proof and demonstrate the correctness of our protocol, including its ability to tolerate cluster crashes. Our protocol — Orion1 — achieves a 20% higher throughput than GeoBFT, the latest hierarchical Byzantine Fault-Tolerant (BFT) protocol.