Formal verification of liveness in Byzantine Fault-Tolerant (BFT) distributed systems remains challenging due to the difficulty of rigorously modeling adversarial behavior, cryptographic primitives, and progress guarantees. Method: This paper introduces three novel, modular techniques grounded in formal verification: (i) compositional proof support for sub-protocol separation; (ii) precise semantic modeling of cryptographic signatures; and (iii) joint verification of liveness and safety properties. The framework is deeply integrated into an executable Go implementation of Practical Byzantine Fault Tolerance (PBFT). Contribution/Results: It achieves the first end-to-end formal liveness verification of a single-log PBFT consensus protocol. Experimental evaluation confirms that the prototype strictly guarantees both progress and correctness under normal operation and diverse malicious fault scenarios. This work establishes the first practical, formally verified path to liveness assurance in BFT systems.

Ensuring liveness in a decentralized system, such as PBFT, is critical, because there may not be any single administrator that can restart the system if it encounters a liveness bug. At the same time, liveness is challenging to achieve because any single participant could be malicious, and yet the overall system must make forward progress. While verification is a promising approach for ensuring the absence of bugs, no prior work has been able to verify liveness for an executable implementation of PBFT. Shipwright is a verification framework for proving correctness and liveness of distributed systems where some participants might be malicious. Shipwright introduces three techniques that enable formal reasoning about decentralized settings with malicious participants, allow developers to decompose their system and proof in a modular fashion into sub-protocols and sub-proofs, and support sound reasoning about cryptographic signatures that may be embedded in messages. We used Shipwright to implement and verify an initial prototype of agreement on a single log entry in PBFT (with a few limitations) and translate it to an executable implementation in Go. We experimentally demonstrate its operation and liveness both in the common case and in several failure scenarios.