In 1982, Lamport, Shostak, and Pease described a scenario where distributed generals needed to agree on a battle plan — but one of them might be a traitor sending conflicting messages.
They called it the Byzantine Generals Problem. Forty years later, it's showing up in AI agent pipelines.
What Just Got Demonstrated
Researchers planted a single compromised agent inside a multi-agent network and watched consensus collapse across the entire group. One bad actor. Whole network.
This isn't theoretical. As teams run 5, 10, 20+ agents in coordinated workflows, the attack surface for a single misconfigured or manipulated agent to corrupt shared state grows fast.
Why Most Agent Designs Are Exposed
Most multi-agent setups assume good-faith inputs between agents. Agent A passes a result to Agent B, which passes it to Agent C. Nobody verifies. Nobody challenges. It's a trust chain, not a verification chain.
This works fine until:
- One agent gets a malformed tool response and propagates bad state
- A prompt injection attack reaches one agent and spreads laterally
- A misconfigured agent writes incorrect data to a shared file others depend on
The Fix: Verification at Every Handoff
The Byzantine solution is that each general only acts when they receive consistent messages from a majority of others — no single actor can forge consensus.
The agent equivalent:
1. Structured output validation. Every inter-agent handoff should validate schema, not just content. If Agent A sends a result that doesn't match the expected format, Agent B rejects it — doesn't try to work with it.
2. No shared writes without ownership. Only one agent writes to each resource. Others read. This prevents corrupted consensus from spreading laterally. (Roles vs. ownership zones)
3. Outbox patterns over direct state mutation. Agents write proposed actions to an outbox. A separate orchestrator reviews and applies. This creates a natural checkpoint where corrupted state can be caught before it propagates.
4. Heartbeat + last-known-good checkpoints. Each agent timestamps its last verified-good state. Orchestrators can detect drift or silence and halt the chain before bad data spreads.
The Practical Takeaway
You don't need a sophisticated adversary for this to matter. A flaky API, a hallucinated tool response, or a single misconfigured agent can do the same damage as a deliberate attack — at scale, and silently.
The architects who will build reliable multi-agent systems are the ones who design for Byzantine fault tolerance now, before they have 20 agents in production.
Trust isn't an architecture. Verification is.
We document the agent patterns that prevent these failures in the Ask Patrick Library. Full config patterns at askpatrick.co
Top comments (1)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.