EIP-8224: Counterfactual Transaction

benaadams · April 12, 2026, 1:33am

Add EIP: Counterfactual Transaction

master ← benaadams:counterfactual-transaction

opened 01:37AM - 12 Apr 26 UTC

## Summary EIP-8224 introduces a new EIP-2718 transaction type (`0x08`) - the… **counterfactual transaction** - for protocol-native shielded gas funding using ZK proofs against canonical fee-note contracts. ### The problem A fresh EOA with no ETH can't pay gas. Receiving ETH from any source creates a traceable on-chain link - defeating the privacy goal. This is the bootstrapping problem that remains even after EIP-8223 (Contract Payer Transaction / sponsored transactions). ### How it works 1. A user deposits ETH into a canonical fee-note contract instance (recognized by runtime code hash, not a fixed address), receiving a private Poseidon commitment 2. Later, from a fresh EOA, they submit a counterfactual transaction carrying an **fflonk** ZK proof (over BN254) that they own an unspent fee note sufficient to cover gas 3. The protocol verifies the proof (no EVM execution needed - bounded cryptographic computation + fixed storage reads), consumes the fee note's nullifier, settles gas, and sends any leftover ETH to a designated `gas_refund_recipient` 4. The transaction body executes normally - it can call any contract (privacy pool withdrawal, account setup, etc.) ### Key design properties - **Code-hash recognition** - fee-note contracts are recognized by `EXTCODEHASH`, not a fixed predeploy address. Multiple instances can coexist. The transaction names its instance via `fee_note_contract`, and the proof binds to that address - **fflonk over BN254** - universal setup (reuses existing powers-of-tau), 2-pair pairing verification, ~176K gas proof verification cost. No circuit-specific trusted setup ceremony - **Append-only accepted roots** - deposits add roots that are never revoked. Proofs against older roots remain valid forever, preventing censorship-based griefing - **Arbitrary note values** - no fixed denomination tiers. Deposit any ETH amount; the circuit proves `fee_denomination == note_value` - **`chain_id` bound in proof** - defense-in-depth against cross-chain replay (8 public inputs total) - **Explicit intrinsic gas** - proof verification, state access/mutation, and settlement transfer logs are itemized following EIP-2780 methodology with EIP-7904 precompile costs - **One-shot bootstrap** - used once to fund a smart account and register it in the Contract Payer Transaction payer registry; all subsequent txs use cheap sponsored transactions - **Composable** - the `data` field can target any contract; the fee note only handles gas authorization - **Bounded ETH exit** - unused fee-note value emerges as public ETH at `gas_refund_recipient`, doubling as an account bootstrap mechanism - **Mempool-safe** - validation is bounded cryptographic computation + a canonical code-hash check + fixed storage reads, no EVM execution ### Intrinsic gas breakdown | Component | Gas | |---|---| | Base (EIP-2780) | 4,500 | | fflonk proof verification (9 ECMUL + 9 ECADD + 2-pair ECPAIRING) | 176,346 | | Fee-note state access | 6,800 | | Fee-note state mutation | 22,500 | | ETH transfer logs | 3,512 | | **Fixed subtotal** | **213,658** | | Proof calldata (~512 bytes) | ~8,192 | | **Typical minimum total** | **~222,000** | ### Dependencies EIP-196, EIP-197, EIP-1559, EIP-2718, EIP-2780, EIP-3529, EIP-4788, EIP-6780, EIP-7708, EIP-7904 ### Status Draft - canonical fee-note bytecode, verification key, circuit artifacts, and cross-client test vectors are not yet published.

Summary

EIP-8224 introduces a new EIP-2718 transaction type (0x08) - the counterfactual transaction - for protocol-native shielded gas funding using ZK proofs against canonical fee-note contracts.

The problem

A fresh EOA with no ETH can’t pay gas. Receiving ETH from any source creates a traceable on-chain link - defeating the privacy goal. This is the bootstrapping problem that remains even after EIP-8223 (Contract Payer Transaction / sponsored transactions).

How it works

A user deposits ETH into a canonical fee-note contract instance (recognized by runtime code hash, not a fixed address), receiving a private Poseidon commitment
Later, from a fresh EOA, they submit a counterfactual transaction carrying an fflonk ZK proof (over BN254) that they own an unspent fee note sufficient to cover gas
The protocol verifies the proof (no EVM execution needed - bounded cryptographic computation + fixed storage reads), consumes the fee note’s nullifier, settles gas, and sends any leftover ETH to a designated gas_refund_recipient
The transaction body executes normally - it can call any contract (privacy pool withdrawal, account setup, etc.)

Key design properties

Code-hash recognition - fee-note contracts are recognized by EXTCODEHASH, not a fixed predeploy address. Multiple instances can coexist. The transaction names its instance via fee_note_contract, and the proof binds to that address
fflonk over BN254 - universal setup (reuses existing powers-of-tau), 2-pair pairing verification, ~176K gas proof verification cost. No circuit-specific trusted setup ceremony
Append-only accepted roots - deposits add roots that are never revoked. Proofs against older roots remain valid forever, preventing censorship-based griefing
Arbitrary note values - no fixed denomination tiers. Deposit any ETH amount; the circuit proves fee_denomination == note_value
chain_id bound in proof - defense-in-depth against cross-chain replay (8 public inputs total)
Explicit intrinsic gas - proof verification, state access/mutation, and settlement transfer logs are itemized following EIP-2780 methodology with EIP-7904 precompile costs
One-shot bootstrap - used once to fund a smart account and register it in the Contract Payer Transaction payer registry; all subsequent txs use cheap sponsored transactions
Composable - the data field can target any contract; the fee note only handles gas authorization
Bounded ETH exit - unused fee-note value emerges as public ETH at gas_refund_recipient, doubling as an account bootstrap mechanism
Mempool-safe - validation is bounded cryptographic computation + a canonical code-hash check + fixed storage reads, no EVM execution

Intrinsic gas breakdown

Component	Gas
Base (EIP-2780)	4,500
fflonk proof verification (9 ECMUL + 9 ECADD + 2-pair ECPAIRING)	176,346
Fee-note state access	6,800
Fee-note state mutation	22,500
ETH transfer logs	3,512
Fixed subtotal	213,658
Proof calldata (~512 bytes)	~8,192
Typical minimum total	~222,000

Dependencies

EIP-196, EIP-197, EIP-1559, EIP-2718, EIP-2780, EIP-3529, EIP-4788, EIP-6780, EIP-7708, EIP-7904

Status

Draft - canonical fee-note bytecode, verification key, circuit artifacts, and cross-client test vectors are not yet published.