As described in the previous section, for every read it handles, a slave has to sign a ``pledge'' packet that contains a copy of the request, the content version time-stamped by the master and the secure hash of the result (as computed by the slave). Should the slave act maliciously and return an incorrect answer, the ``pledge'' packet becomes an irrefutable proof of its dishonesty. Once a slave server is proven malicious it can be excluded from the system so it can do no further harm.
It is important to notice that the way the ``pledge'' packets are constructed makes impossible for a client to ``frame'' an innocent slave server - unless that client is able to fake the slave's digital signature. The only harm a client can do is to abuse its ``double-check'' quota (by double-checking all the slave responses instead of a small fraction of them). However, by keeping track on the number of double-check requests it receives from each of its clients, a master can identify statistically anomalous client behavior, which most likely indicates a ``greedy'' client. The master can then enforce fair play by simply ignoring a large fraction of the double-check requests coming from clients suspected to be greedy.