This doc has been the result of a collaborative effort between:
Ignacio Hagopian, Guillaume Ballet, Thomas Tiery, Julian Ma and Carlos Perez.
Ethereum’s roadmap includes ambitious proposals aimed at improving scalability, decentralization, and censorship resistance. Two such proposals are Ethereum statelessness – eliminating or reducing the need for certain types of nodes (like validators) to store the entire state – and Fork-Choice Enforced Inclusion Lists (FOCIL) as defined in EIP-7805, which uses validator committees to enforce the inclusion of certain transactions in blocks. Individually, each approach addresses a different problem: statelessness works arround the unbounded state growth problem and node resource requirements, while FOCIL confronts transaction censorship. In combination, however, these proposals must peacefully coexist. This document provides an in-depth analysis of how statelessness and FOCIL can benefit one another in Ethereum’s evolution, the requirements and scenarios each type of statelessness imposes on block producers, and the friction points and network overheads that may arise when both mechanisms are active.
We also discuss open problems such as Transaction invalidation, Network overhead, Bandwidth consumption and to assess whether statelessness techniques could help mitigate them.
The document will assume that all the concepts listed below are known and understood. If you're not convinced you fully understand them, it's suggested to take a look to them.
Ethereum’s push towards “Stateless Ethereum” involves several models that differ in degree of state storage and who bears responsibility for providing state data (via witnesses, i.e. cryptographic proofs of state, see more about this here).
One of the major points of contact that FOCIL and stateless have is that they influence heavily the attester and block proposer roles respectively. One, can potentially lower the hardware requirements to them. While the other one adds the extra task of ensuring censorship resistance via ILs.
Below we outline the major statelessness approaches – full vs partial statelessness – and what each implies for block producers.
In a weakly stateless design, only block proposers/builders need full access to the global state, while all other nodes can validate blocks without a local state database (Statelessness, state expiry and history expiry).
Validators verifying a new block are provided with a witness (e.g. Merkle/Verkle/ZKVM proof) for each state access in the block, allowing them to update their state root and confirm block validity without storing entire state.
This approach greatly lowers hardware requirements for most nodes (enabling near-instant syncing and even mobile-phone validators), but it puts the pressure on block producers to maintain the full latest state in order to execute transactions and generate witnesses for their blocks. In practice, weak statelessness presumes a separation of roles (e.g. via proposer-builder separation, PBS) where specialized builders handle the heavy state and witness generation tasks. Block producers under weak statelessness MUST BE powerful, stateful nodes (or outsource to such builders), since they need to access any part of state touched by pending transactions to create the necessary proofs
Strong statelessness is the ideal end-state (since we drastically remove the hardware requirements for all consensus and possibly execution participants) where no validator or block builder permanently stores the global state (Statelessness, state expiry and history expiry). Instead, transactions must carry sufficient witness data (proofs of account/storage values) to allow anyone to validate them against a known state root. Block producers in this model do not need the entire state up-front; they can theoretically rely on the witnesses provided with transactions or obtain needed state bits on demand from a distributed storage network.
In practice, however, achieving full statelessness is challenging. It pushes the burden of state availability largely to users and the network – users might need to fetch and attach proofs to their transactions, and block builders might still maintain caches of recently used state or use an on-demand state fetch protocol for efficiency (Why it’s so important to go stateless | Dankrad Feist).
Block production requirements:
Even if no node is required to hold all state all the time, a proposer must ensure that any transaction it includes has a valid, up-to-date witness (otherwise the block will be invalid). This might involve regenerating or updating witnesses if the state has changed since the transaction was formed. Thus, block producers in a strong stateless regime might still perform just-in-time state lookups or caching. The expectation is that cryptographic accumulator structures (e.g. Verkle trees) will make witnesses small and efficient to transmit, and protocols like the Portal Network or PeerDAS will enable quick retrieval of state data from peers when needed.
Strong statelessness minimizes permanent storage at the cost of significantly more real-time data retrieval; block builders would need extremely robust networking and possibly user-provided witnesses to assemble valid blocks under tight time constraints.
In state expiry proposals, portions of the state that have not been accessed for a long period (e.g. ~1 year) are pruned from the active state and considered inactive until “resurrected”. Nodes then only store the recently active state; accessing old state (expired accounts or storage slots) requires a witness or proof to revive that data back into the active set. This is conceptually similar to charging rent for state: accounts must pay or be touched periodically to remain active, otherwise their data is dropped and must be brought back with an explicit proof.
Block producer requirements: In a state expiry scenario, a block proposer is expected to store at least the active state (all accounts/storage not yet expired) and handle normal transactions as usual. However, if a transaction touches expired state, the block producer will need the corresponding proof (witness) for that state portion.
If not, the producer must obtain the historical state data from some external source (such as a distributed storage network or archival node like for example the Portal Network) before including the transaction. This introduces additional overhead in block building – similar to strong statelessness – but only for cold/expired state accesses. In effect, state expiry outsources long-term state storage to off-chain systems or the users, limiting on-chain state size growth while requiring block builders to handle occasional large proofs for resurrected data. Block producers would also need to ensure expired-state transactions pay appropriate fees (covering the extra cost of witness verification and state revival), as discussed in state rent economics.
In summary, weak statelessness keeps block building similar to today (one party with full state) but frees everyone else, whereas strong statelessness radically changes block production into an on-demand data retrieval process. State expiry lies in between: most blocks only deal with an active subset of state (making block production fast), but once in a while a block must absorb the cost of including a previously expired piece of state via a witness. All these approaches strive to make running a node much easier (reducing persistent storage), at the cost of increasing the real-time data each block must carry or fetch (i.e. witnesses). The table below summarizes the block producer requirements in each scenario:
Statelessness Mode | Who Stores State? | Block Producer’s Duty |
---|---|---|
Weak Statelessness | Only block proposer/builder (full state); others stateless (Statelessness, state expiry and history expiry) | Have full state locally; execute transactions and generate compact witness for each block. Must be powerful to handle state reads/writes, generate proofs within less than block time and store a growing state. |
Strong Statelessness | No node stores full state; state accessed via witnesses | Ensure every tx included has a correct, up-to-date state witness. Likely fetch or update state proofs on the fly. Heavy networking to gather any missing state data; essentially stateless block building. |
State Expiry (Partial) | Nodes store only recent state; older state pruned | Handle most tx from active state normally. For tx touching expired state, obtain or verify the provided witness to update that state. Maintain a mechanism to reintroduce pruned data into active state (with cost). |
FOCIL is a fork-choice rule modification that introduces Inclusion Lists (ILs) to strengthen Ethereum’s censorship resistance by distributing block content (tx) decisions across a committee of validators (attesters). In today’s Ethereum, a single block proposer (or an MEV builder it outsources to) has total control over which transactions are included in a block. This centralizes power and has led to oligopolistic block production – as of late 2024, two entities were building over 95% of blocks on Ethereum – and weak censorship resistance, evidenced by some builders excluding sanctioned addresses. FOCIL aims to counter this by ensuring many validators collectively influence each block’s content.
Illustration of the FOCIL mechanism (per-slot workflow).
The IL aggregate includes all transactions from the committee’s lists (entries 0xa1, 0xb2, 0xc3 in this schematic) and a bitlist of which committee members’ ILs were honored. Attesters for slot (right) evaluate Block : if it contains all required IL transactions, they consider the block valid in the fork choice; if not, they withhold attestations. Thus, only a block including the committee’s transactions can become canonical.*
One of the things that is clear is that Stateless-FOCIL will always be a positive sum game.
There are several reasons to argue about this:
This means we will be able to have more participants within CL.
That, directly translates to more entities who will be able to join the FOCIL protocol and submit ILs.
Stateless-regimes allow for more protocol participants (à la rainbowstaking). If you can open up the job of a FOCIL includer to people with lower stake, that's democratizing Ethereum staking.
While this is true, it's also important to remark that FOCIL doesn't require to have thousands of ILs or tons of txs included within each IL to be effective.
In fact, as said by Thomas Thiery:
"… to me the more ILs (the more txns in ILs to be more precise), the less txn inclusion time, until you do hit a limit
the limit is 1 slot inclusion, and you can't include more txns than there is space for in a block."
So stateless has a double impact here. It allows for:
This is the most direct area of synergy. FOCIL is explicitly designed to improve censorship resistance: by forcing inclusion lists into blocks via fork-choice, it ensures no transaction remains censored for long.
The “1-out-of-N” honesty assumption of FOCIL becomes easier to meet with N large.
In summary, statelessness provides a robust, lightweight validator base and the technical means to handle additional data, while FOCIL provides the policy and rule-set that empower those validators to keep the chain neutral and inclusive.
Stateless-FOCIL solutions would likely impact scalability in a positive way in some areas. For example:
gas_limit
increases. Thus opening more space for transactions. This space is more space that builders might be forced to include more IL transactions which also contributes to effectively spend the gas_target
exhaustively instead of just wasting it.One of the biggest debates we've had so far, is trying to identify which is the way to go in the strong vs. weak statelessness dilema.
There are multiple reasons to argue for both.
This writeup won't dive deeply into this. But you can get more info on this post by Julian.
So far, one of the things that is increasingly clear is that we might want/need to decouple throughput from local building in order to be able to scale the whole network (See more details in this Includer-Attester separation.
And that, has direct implications on the type of statelessness we want to have.
In particular, if we pretend to outsource block building to few well-resourced (computationally & bandwidth-wise) entities and allow them to be the sole blockbuilders, then there's a clear bias towards weak statelessness where block builders still keep the whole state themseleves.
At the same time, this means we need to lower as much as possible the requirements to attesters, includers and any other roles that exist within the Consensus Layer.
There's no reason to consider strong statelessness (which mainly allows lower-resourced builders) nor to prioritize significantly state-expiry.
The question that one might have, is "Should we have a backup plan"?
And for that, we need to ask ourseleves first the following:
It's important to understand that within any stateless scenario, we have only 3 types of actors who can/will hold the state. And how this affects other ethereum sub-protocols like FOCIL.
Role | Pros | Cons |
---|---|---|
Block Builders | Naturally incentivized, already centralized | Reinforces MEV builder centralization |
Wallets/dApps | Pushes responsibility to edge, avoids builder bloat | Wallets resist innovation; dApps fragile, under-resourced |
State-as-a-Service (ie. Portal, third parties) | Offloads responsibility; can scale horizontally | Potential for Infura-like centralization; unknown reliability |
This post clearly identifies block builders as the best entity to rely on for holding the state (at least, a big part of it). Specially if we consider initiatives like Decoupling throughput from local building. It's the easiest and less complex approach but greatly centralizes block producing further. At the same time it incurrs on extra risk of possibly needing a "fallback method". Still, thanks to sub-protocols like FOCIL, we can actually be a bit "safer" in this scenario.
It's important to notice that in the long-term, leaving the task to store state to block builders will hit significantly bigger limitations than delegating it on Dapps or users. As a distributed storage design would definitely scale further and better. Also greatly reducing friction and incentive concerns in other parts of the protocol.
If we lower the entry barrier for block producers (via strong-statelessness) but they keep delegating block construction to MEV builders, We are actually changing nothing (more block proposers exist but builders at the end are the same ones).
Sadly, decentralized solutions like Portal migth not be fast enough at providing state. Thus not making them a valid option to scale horizontally via delegation to other sub-protocols.
If no one else handles it, large providers (ie. Infura) will, leading to re-centralization.
More careful thought should be put on this idea. So far it doesn't seem to be a viable one as the two main contenders to carry it over are not fast enough or lead to massive centralization.
To conclude, I think one important way to frame this block proposer/builder dilema is:
We are stablishing "a minimal set of rules on what data block producers are assumed to hold/have". Such that we can design protocols based on this assumption that touch on possibly unrelated things. Yet can rely on assumptions based on these rules
While the combination of statelessness and FOCIL offers many benefits, there are also important drawbacks and friction points to consider. Implementing both simultaneously could introduce new challenges related to transaction validity, data overhead, and system complexity:
This is by far the most relevant problem to solve.
This problem arises when any form of statelessness (except partial one, which is unsure if can be called "stateless") and FOCIL are put together.
The issue: Stateless nodes have serious issues to keep their mempools pruned. While FOCIL relies on the assumption of having a correctly pruned and functioning mempool.
Currently, in both, strong and weak statelessness flavours, includers would not hold the state that allows them to validate tx correctness (discard invalid txs) unless:
Both of these solutions are bad. While the former implies a significant burden in the DevX and UX side of things, the latter greatly centralizes state storaging as well as has the potential to consume huge ammounts of bandwidth and network resources in general.
Why is this important? Notice an attacker can flood the mempool at no cost, and Includer stateless nodes would have a hard time prunning it, thus leading to ILs full of garbage.
What does this imply?
nonce
for each tx we receive. And also prune the mempool regularly after each new block.balance
for each tx we receive. And also prune the mempool regularly after each new block.GOOD_SAMARITAN
in order to be sure that txs are valid and should make it to my IL).Both statelessness and FOCIL introduce additional data that must be transmitted each block, raising concerns about bandwidth and storage overhead. Under statelessness, each block carries a witness (Merkle/Verkle proofs) for the state accessed by its transactions. FOCIL, meanwhile, adds up to inclusion lists per slot propagating through the network. If each IL is up to 8 KiB and there are 16 committee members, that’s a theoretical 128 KiB of data broadcast in gossip for the ILs (not counting overhead for signatures and routing).
In total, the block data size and the per-slot gossip load both increase. This raises several issues:
This image from pop's post on doubling blob count for Pectra can help us to see a bit the propagation times we can expect depending on the sent-payload sizes.
And as it can bee seen, it looks slightly concerning how stateless-FOCIL would look.
One of the next steps will be to run some accurate simulations using Ethshadow to better estimate for the different stateless solutions (Verkle, Binary etc..) what could we expect from bandwidth/propagation time.
Within a weak-statelessness scenario, block builders (proposers) acquire the task of generating witnesses too. Under FOCIL, the builder now has an expanded to-do list within a single block interval:
All this must happen in a matter of seconds (in a 12-second slot, ILs might be completed ~8s into the slot, leaving perhaps ~4 seconds for block production). This is tighter than normal block building, where a builder could start assembling a block earlier with a known mempool.
This is not an issue now. but if we decided to bump up gas limit to 100M for example, then we could definitely start seeing complex scenarios where ILs force builders to perform more complex and bigger state proofs for their block. Which can lead to tighten a lot the time everyone within the protocol has to carry their duties.
Stateless Ethereum is frontier research, with many open questions remaining. We examine a few known open problems in Stateless-FOCIL design.
One concern for FOCIL is the possibility of an attacker trying to “flood” the mechanism with junk transactions. For example, a proposer could spam the mempool with transactions that appear valid just before the IL committee finalizes their lists, causing many IL entries to be occupied by transactions the proposer controls, and then propose a block that invalidates all those transactions. The result would be that all those IL slots were wasted and the block still satisfies the IL condition vacuously.
This is an ex-post invalidation attack. The FOCIL design tries to limit the impact by rules like “at most one tx per account per IL” (so one transaction can’t invalidate multiple IL entries).
Does statelessness help here? Not directly in terms of prevention – this is mainly a game of mempool policy and costs. However, statelessness could help detection and analysis: a stateless node that kept all IL transactions’ witnesses could immediately check in the next block which ones became invalid and why.
If they notice that, say, a single transaction in the block changed 1000 accounts’ nonces (hence invalidating 1000 IL tx), that pattern could be flagged as malicious. It remains to be seen if there's any other benefit that instead of identification could actually solve something.
A missalignment at the intersection of FOCIL and strong statelessness is transaction validity over time. In a strong–stateless environment, a transaction might come with a proof of cold-state (state-revival) that is only valid for a specific state root. If the state changes, the transaction could become invalid or at least the proof is invalid (the transaction might still be executable, but not with the provided proof). Stateless clients might then treat the transaction as invalid until a new proof is provided. This effectively gives transactions a shelf-life – they expire in the mempool if not included in a timely manner or updated.
Notice that while this is not an issue of the combination of both, FOCIL could actually help mitigate or worsen the situation:
So far in this document we have been discussing "conditional FOCIL". But there's an "unconditional FOCIL" variant too which was proposed in this post.
The main difference between the two approaches is that conditional FOCIL implies that the proposer/builder only needs to include IL txs in the block if only if the block isn't full and the transactions are still valid.
On the other side, unconditional FOCIL reserves space inside a block for IL txs.
One of the main concerns of Unconditional FOCIL is that it could potentially open an IL-boost market that we obviously don't want to have.
After some discussions, stateless doesn't seem to be of much help here.
As said by Julian in a discussion related to this topic:
[..] I don’t believe stateless could help here. ILs should be designed such that they cannot be outsourced to an IL-Boost market regardless of whether it’s practically difficult to create IL-Boost. We already have many many validators [..]
So having more validators or lower-stake ones for FOCIL (enabled via stateless + Rainbow staking for instance) doesn't seem to help to mitigate these concerns.
The combination of Ethereum statelessness and FOCIL represents a potential improvement in the protocol’s evolution, matching state scalability with censorship-resistant block production. Our analysis shows a clear symbiosis: statelessness enables a broader set of validators to participate with minimal hardware, and FOCIL empowers those validators to collectively uphold inclusion and neutrality, counteracting the centralization of MEV-heavy block building. Together, they address two of the hardest problems for Ethereum’s future – the burden of state growth and the risk of censorship/centralization in block proposal.
It is also clear that they both can combine really well. As while one allows increasing gas limits, the other make sure blocks are full and decouples local building from throughput.
That means bigger blocks, fuller blocks, with censorship-resistance and more participants within CR(Consensus Rules) at the same time.
Combining these systems is not without challenges though. As it can be seen networking, UX, IL quality and other minor topics are still concerns that we have in mind and need to get solutions for.
WRT who holds state and how this affects FOCIL and other sub-protocols, it's hard to say anything. As we're just guessing.
One thing is obvious in this topic. And is that if we want immediate scaling, and we want to unleash state growth, we need to be prepared to handle such growth without asking all consensus participants to upgrade hardware.
Ideally, we should lower the entry barrier to the protocol and facilitate the existance of low-requirement roles like Includer, Attester or also, staker.
And the combination of statelessness-FOCIL is a clear example of this.
After all the considerations, A hybrid solution that incentivizes supplying state proofs to lower fees.
Or, some form of partial statelessness could be good 1st paths. Such that we can analyze how it affects the ecosystem and scales without disrupting how the network works atm.