A deep analysis of Stateless FOCIL

This doc has been the result of a collaborative effort between:
Ignacio Hagopian, Guillaume Ballet, Thomas Tiery, Julian Ma and Carlos Perez.

Introduction

Ethereum’s roadmap includes ambitious proposals aimed at improving scalability, decentralization, and censorship resistance. Two such proposals are Ethereum statelessness – eliminating or reducing the need for certain types of nodes (like validators) to store the entire state – and Fork-Choice Enforced Inclusion Lists (FOCIL) as defined in EIP-7805, which uses validator committees to enforce the inclusion of certain transactions in blocks. Individually, each approach addresses a different problem: statelessness works arround the unbounded state growth problem and node resource requirements, while FOCIL confronts transaction censorship. In combination, however, these proposals must peacefully coexist. This document provides an in-depth analysis of how statelessness and FOCIL can benefit one another in Ethereum’s evolution, the requirements and scenarios each type of statelessness imposes on block producers, and the friction points and network overheads that may arise when both mechanisms are active.
We also discuss open problems such as Transaction invalidation, Network overhead, Bandwidth consumption and to assess whether statelessness techniques could help mitigate them.

The document will assume that all the concepts listed below are known and understood. If you're not convinced you fully understand them, it's suggested to take a look to them.

In summary, weak statelessness keeps block building similar to today (one party with full state) but frees everyone else, whereas strong statelessness radically changes block production into an on-demand data retrieval process. State expiry lies in between: most blocks only deal with an active subset of state (making block production fast), but once in a while a block must absorb the cost of including a previously expired piece of state via a witness. All these approaches strive to make running a node much easier (reducing persistent storage), at the cost of increasing the real-time data each block must carry or fetch (i.e. witnesses). The table below summarizes the block producer requirements in each scenario:

Overview of FOCIL (Fork-Choice Enforced Inclusion Lists, EIP-7805)

FOCIL is a fork-choice rule modification that introduces Inclusion Lists (ILs) to strengthen Ethereum’s censorship resistance by distributing block content (tx) decisions across a committee of validators (attesters). In today’s Ethereum, a single block proposer (or an MEV builder it outsources to) has total control over which transactions are included in a block. This centralizes power and has led to oligopolistic block production – as of late 2024, two entities were building over 95% of blocks on Ethereum – and weak censorship resistance, evidenced by some builders excluding sanctioned addresses. FOCIL aims to counter this by ensuring many validators collectively influence each block’s content.

• In each slot
  $n$, an inclusion list committee observes the mempool and each member produces a local inclusion list of transactions (e.g., containing “tx
  $\mathbb{a}$, tx
  $\mathbb{b}$”, etc.).
• These ILs are gossiped on a global network topic. The block producer for slot
  $n$ collects these ILs and must include the union of all txns across ILs within the block until the block is full.

The IL aggregate includes all transactions from the committee’s lists (entries 0xa1, 0xb2, 0xc3 in this schematic) and a bitlist of which committee members’ ILs were honored. Attesters for slot

$n+\mathbb{K}$ (right) evaluate Block

$\mathbb{K}$: if it contains all required IL transactions, they consider the block valid in the fork choice; if not, they withhold attestations. Thus, only a block including the committee’s transactions can become canonical.*

More info on how FOCIL works can be found within the hidden section down below, or here: https://meetfocil.eth.limo/.

Statelessness & FOCIL Interactions

Clear symbiotic relationship areas/signs

One of the things that is clear is that Stateless-FOCIL will always be a positive sum game.
There are several reasons to argue about this:

Statelessness will significantly decrease the hardware requirements on validators

This means we will be able to have more participants within CL.
That, directly translates to more entities who will be able to join the FOCIL protocol and submit ILs.

Stateless-regimes allow for more protocol participants (à la rainbowstaking). If you can open up the job of a FOCIL includer to people with lower stake, that's democratizing Ethereum staking.

While this is true, it's also important to remark that FOCIL doesn't require to have thousands of ILs or tons of txs included within each IL to be effective.

In fact, as said by Thomas Thiery:
"… to me the more ILs (the more txns in ILs to be more precise), the less txn inclusion time, until you do hit a limit
the limit is 1 slot inclusion, and you can't include more txns than there is space for in a block."

So stateless has a double impact here. It allows for:

1. Bump up significantly gas_limit parameters.
2. Removes the hardware requirements from FOCIL protocol participants.

They both contribute to Censorship Resistance and Neutrality.

This is the most direct area of synergy. FOCIL is explicitly designed to improve censorship resistance: by forcing inclusion lists into blocks via fork-choice, it ensures no transaction remains censored for long.

• Statelessness boosts censorship resistance in a more subtle way. First, as noted, it increases the number of possibly independent validators – it is much harder to censor transactions when there are thousands of globally distributed validators who are part of the sampling domain of the protocol, at least one of whom is likely to include any given honest transaction in their IL list.

The “1-out-of-N” honesty assumption of FOCIL becomes easier to meet with N large.

• Second, statelessness could enable new anti-censorship techniques at the networking layer: for example resilience against state-based censorship – if an adversary tries to censor by bloating state or exploiting state load (a form of denial-of-service to price out honest nodes), stateless clients would be immune to state-bloat slowdown since they do not process the entire state for each block. This means that even under heavy load or attempted state-layer attacks, stateless validators can keep proposing inclusion lists and verifying blocks normally, upholding censorship resistance.

In summary, statelessness provides a robust, lightweight validator base and the technical means to handle additional data, while FOCIL provides the policy and rule-set that empower those validators to keep the chain neutral and inclusive.

Stateless-FOCIL would boost Scalability

Stateless-FOCIL solutions would likely impact scalability in a positive way in some areas. For example:

• Removing the dependency on slow disk I/O for state – validators no longer need to read/write a massive state database each block, which can become a bottleneck as state grows. Instead, they receive a fixed-size witness proving the state changes. This means Ethereum could safely raise gas limits or throughput when most nodes are stateless, without rendering verification too slow.
• FOCIL indirectly assists scalability by ensuring transactions aren’t needlessly delayed by censorship.
  More importantly, FOCIL also decouples throughput from local block building – validators can enforce inclusion of many transactions even if a builder’s own block would have been smaller. In a combined scenario, statelessness can help handle the higher data load that FOCIL might introduce. For example, if each block now carries an inclusion list (or the full transactions from ILs) and the associated witnesses, stateless clients can verify these larger blocks without storing more data long-term.
• Stateless would allow for significant gas_limit increases. Thus opening more space for transactions. This space is more space that builders might be forced to include more IL transactions which also contributes to effectively spend the gas_target exhaustively instead of just wasting it.

Strong vs. Weak statelessness for FOCIL

One of the biggest debates we've had so far, is trying to identify which is the way to go in the strong vs. weak statelessness dilema.
There are multiple reasons to argue for both.

This writeup won't dive deeply into this. But you can get more info on this post by Julian.

So far, one of the things that is increasingly clear is that we might want/need to decouple throughput from local building in order to be able to scale the whole network (See more details in this Includer-Attester separation.
And that, has direct implications on the type of statelessness we want to have.

In particular, if we pretend to outsource block building to few well-resourced (computationally & bandwidth-wise) entities and allow them to be the sole blockbuilders, then there's a clear bias towards weak statelessness where block builders still keep the whole state themseleves.

At the same time, this means we need to lower as much as possible the requirements to attesters, includers and any other roles that exist within the Consensus Layer.

There's no reason to consider strong statelessness (which mainly allows lower-resourced builders) nor to prioritize significantly state-expiry.

The question that one might have, is "Should we have a backup plan"?
And for that, we need to ask ourseleves first the following:

Who holds the state?

It's important to understand that within any stateless scenario, we have only 3 types of actors who can/will hold the state. And how this affects other ethereum sub-protocols like FOCIL.

Block Builders

• This post clearly identifies block builders as the best entity to rely on for holding the state (at least, a big part of it). Specially if we consider initiatives like Decoupling throughput from local building. It's the easiest and less complex approach but greatly centralizes block producing further. At the same time it incurrs on extra risk of possibly needing a "fallback method". Still, thanks to sub-protocols like FOCIL, we can actually be a bit "safer" in this scenario.

• It's important to notice that in the long-term, leaving the task to store state to block builders will hit significantly bigger limitations than delegating it on Dapps or users. As a distributed storage design would definitely scale further and better. Also greatly reducing friction and incentive concerns in other parts of the protocol.

• If we lower the entry barrier for block producers (via strong-statelessness) but they keep delegating block construction to MEV builders, We are actually changing nothing (more block proposers exist but builders at the end are the same ones).

Dapps/wallets (Users)

• This would be possibly the "best solution" if we ignore the complexity of bringing it to live. A distributed way to store and generate witness for txs will always scale far better than any other alternative.
  The problem resides on protocols that will require "fast/JIT invalid-tx witness recomputation" (Like FOCIL might). And more importantly, who will actually perform this. As block-builders in this case will need to ask for the witness to someone if they want to do it. Or otherwise we fall into interactive scenarios which are complex to even imagine.
• Even if we were within a strong-stateless regime. Block builders would likely decide to store some part of the state at minimum to optimize their block building process. So we could find ourseleves within an scenario where we aim to lower block producer/builder resources. Yet they still decide to
• I think it's hard to see useful/nice dApps nowadays. Imagine if we add to them the burden of also managing all the state proofs/witness generation for each tx..
  Seems crucial to put the ABSOLUTE MINIMAL requirements to dAPPS as they are a scarce resource within the ecosystem. We need to make it easy for them to exist and proliferate.

State-as-a-Service (i.e. Portal, third parties)

• Sadly, decentralized solutions like Portal migth not be fast enough at providing state. Thus not making them a valid option to scale horizontally via delegation to other sub-protocols.

• If no one else handles it, large providers (ie. Infura) will, leading to re-centralization.

  More careful thought should be put on this idea. So far it doesn't seem to be a viable one as the two main contenders to carry it over are not fast enough or lead to massive centralization.

To conclude, I think one important way to frame this block proposer/builder dilema is:

We are stablishing "a minimal set of rules on what data block producers are assumed to hold/have". Such that we can design protocols based on this assumption that touch on possibly unrelated things. Yet can rely on assumptions based on these rules

Friction Points Between Statelessness and FOCIL

While the combination of statelessness and FOCIL offers many benefits, there are also important drawbacks and friction points to consider. Implementing both simultaneously could introduce new challenges related to transaction validity, data overhead, and system complexity:

Significant decrease on the IL quality

This is by far the most relevant problem to solve.
This problem arises when any form of statelessness (except partial one, which is unsure if can be called "stateless") and FOCIL are put together.

The issue: Stateless nodes have serious issues to keep their mempools pruned. While FOCIL relies on the assumption of having a correctly pruned and functioning mempool.

Currently, in both, strong and weak statelessness flavours, includers would not hold the state that allows them to validate tx correctness (discard invalid txs) unless:

• They come with a witness (Strong statelessness).
• They ask some 3rd party or block builder for the needed witness relative to the tx (Weak statelessness).

Both of these solutions are bad. While the former implies a significant burden in the DevX and UX side of things, the latter greatly centralizes state storaging as well as has the potential to consume huge ammounts of bandwidth and network resources in general.

Why is this important? Notice an attacker can flood the mempool at no cost, and Includer stateless nodes would have a hard time prunning it, thus leading to ILs full of garbage.

What does this imply?

• We need to query/validate nonce for each tx we receive. And also prune the mempool regularly after each new block.
• We need to query/validate balance for each tx we receive. And also prune the mempool regularly after each new block.
• More importantly, we need to make sure it's not impossible to gather this info without die trying. (ie. imagine I receive 1M txs that come to my mempool. I'll need to handle a lot of proof verifications or, query a ton of data from a GOOD_SAMARITAN in order to be sure that txs are valid and should make it to my IL).

Network Overhead and Bandwidth Consumption

Both statelessness and FOCIL introduce additional data that must be transmitted each block, raising concerns about bandwidth and storage overhead. Under statelessness, each block carries a witness (Merkle/Verkle proofs) for the state accessed by its transactions. FOCIL, meanwhile, adds up to

In total, the block data size and the per-slot gossip load both increase. This raises several issues:

• Bandwidth for validators and propagation time: A stateless validator must download the block body + witness (let’s say ~200KB-3MB depending on the tree/solution) plus the ILs (another ~ up to 100+ KB) for each slot. To that, we still need to account for blob data (introduced with EIP-4844) which can significantly increase bandwidth requirements, adding up to ~1 MB per all blobs (as per Pectra update (9 blobs of 128KB)). If blocks come every 12 seconds, that could significantly up the data rate requirements. Validators with slower internet could struggle, undermining the goal of increasing the number of participants within the consensus.

One of the next steps will be to run some accurate simulations using Ethshadow to better estimate for the different stateless solutions (Verkle, Binary etc..) what could we expect from bandwidth/propagation time.

• Witness sizes in worst-case: In a pathological scenario, FOCIL might force inclusion of transactions that touch many distinct state entries, producing a large combined witness.
  A concern is that FOCIL could override a builder’s optimization which means that even if a builder might normally avoid including too many state-heavy transactions in one block (to keep the witness small), if the IL forces them in, the block’s witness could blow up. This is a new kind of block size griefing attack to consider under combined stateless+FOCIL operation.

Witness Generation Complexity and Latency

Within a weak-statelessness scenario, block builders (proposers) acquire the task of generating witnesses too. Under FOCIL, the builder now has an expanded to-do list within a single block interval:

1. Receive ILs,
2. Fetch those transactions (if not already in its mempool)
3. Execute all transactions (both its own chosen tx and the forced IL tx) in the correct order.
4. Generate the state witness proofs for the entire block to broadcast to validators.
5. Participate in any DAS-related procedure that needs to happen.

All this must happen in a matter of seconds (in a 12-second slot, ILs might be completed ~8s into the slot, leaving perhaps ~4 seconds for block production). This is tighter than normal block building, where a builder could start assembling a block earlier with a known mempool.

This is not an issue now. but if we decided to bump up gas limit to 100M for example, then we could definitely start seeing complex scenarios where ILs force builders to perform more complex and bigger state proofs for their block. Which can lead to tighten a lot the time everyone within the protocol has to carry their duties.

Open FOCIL Problems and the Role of Statelessness

Stateless Ethereum is frontier research, with many open questions remaining. We examine a few known open problems in Stateless-FOCIL design.

Inclusion List Flooding Attacks

One concern for FOCIL is the possibility of an attacker trying to “flood” the mechanism with junk transactions. For example, a proposer could spam the mempool with transactions that appear valid just before the IL committee finalizes their lists, causing many IL entries to be occupied by transactions the proposer controls, and then propose a block that invalidates all those transactions. The result would be that all those IL slots were wasted and the block still satisfies the IL condition vacuously.
This is an ex-post invalidation attack. The FOCIL design tries to limit the impact by rules like “at most one tx per account per IL” (so one transaction can’t invalidate multiple IL entries).

Does statelessness help here? Not directly in terms of prevention – this is mainly a game of mempool policy and costs. However, statelessness could help detection and analysis: a stateless node that kept all IL transactions’ witnesses could immediately check in the next block which ones became invalid and why.
If they notice that, say, a single transaction in the block changed 1000 accounts’ nonces (hence invalidating 1000 IL tx), that pattern could be flagged as malicious. It remains to be seen if there's any other benefit that instead of identification could actually solve something.

Transaction Validity Windows

A missalignment at the intersection of FOCIL and strong statelessness is transaction validity over time. In a strong–stateless environment, a transaction might come with a proof of cold-state (state-revival) that is only valid for a specific state root. If the state changes, the transaction could become invalid or at least the proof is invalid (the transaction might still be executable, but not with the provided proof). Stateless clients might then treat the transaction as invalid until a new proof is provided. This effectively gives transactions a shelf-life – they expire in the mempool if not included in a timely manner or updated.

Notice that while this is not an issue of the combination of both, FOCIL could actually help mitigate or worsen the situation:

• Reviving-storage txs contain a proof that is no longer valid for the state that stateless nodes hold. Thus, occupying space within the IL that is wasted. This would be a result of FOCIL enforcing inclusion within 10 slots or so.
• IL flooding gets a new attack-vector which is based on state-revival txs.

Unconditional FOCIL leading to IL-boost markets.

So far in this document we have been discussing "conditional FOCIL". But there's an "unconditional FOCIL" variant too which was proposed in this post.

The main difference between the two approaches is that conditional FOCIL implies that the proposer/builder only needs to include IL txs in the block if only if the block isn't full and the transactions are still valid.
On the other side, unconditional FOCIL reserves space inside a block for IL txs.

One of the main concerns of Unconditional FOCIL is that it could potentially open an IL-boost market that we obviously don't want to have.

After some discussions, stateless doesn't seem to be of much help here.

As said by Julian in a discussion related to this topic:
[..] I don’t believe stateless could help here. ILs should be designed such that they cannot be outsourced to an IL-Boost market regardless of whether it’s practically difficult to create IL-Boost. We already have many many validators [..]

So having more validators or lower-stake ones for FOCIL (enabled via stateless + Rainbow staking for instance) doesn't seem to help to mitigate these concerns.

Conclusion

The combination of Ethereum statelessness and FOCIL represents a potential improvement in the protocol’s evolution, matching state scalability with censorship-resistant block production. Our analysis shows a clear symbiosis: statelessness enables a broader set of validators to participate with minimal hardware, and FOCIL empowers those validators to collectively uphold inclusion and neutrality, counteracting the centralization of MEV-heavy block building. Together, they address two of the hardest problems for Ethereum’s future – the burden of state growth and the risk of censorship/centralization in block proposal.

It is also clear that they both can combine really well. As while one allows increasing gas limits, the other make sure blocks are full and decouples local building from throughput.

That means bigger blocks, fuller blocks, with censorship-resistance and more participants within CR(Consensus Rules) at the same time.

Combining these systems is not without challenges though. As it can be seen networking, UX, IL quality and other minor topics are still concerns that we have in mind and need to get solutions for.

WRT who holds state and how this affects FOCIL and other sub-protocols, it's hard to say anything. As we're just guessing.

One thing is obvious in this topic. And is that if we want immediate scaling, and we want to unleash state growth, we need to be prepared to handle such growth without asking all consensus participants to upgrade hardware.
Ideally, we should lower the entry barrier to the protocol and facilitate the existance of low-requirement roles like Includer, Attester or also, staker.
And the combination of statelessness-FOCIL is a clear example of this.

After all the considerations, A hybrid solution that incentivizes supplying state proofs to lower fees.
Or, some form of partial statelessness could be good 1st paths. Such that we can analyze how it affects the ecosystem and scales without disrupting how the network works atm.