[SEP 43] [OBRA] ZK Email Account Recovery - ZK Email

Please refer to the full proposal text on the SafeDAO forum. Some parts may have been removed to fit within the character limit on Snapshot.

Title:

[SEP 43][OBRA] ZK Email Account Recovery - ZK Email

Authors

• Aayush Gupta (aayushgupta5000@gmail.com, GitHub: Divide-By-0, Telegram: yush_g)
• John Guilding (Github: JohnGuilding, https://twitter.com/john_guilding)
• Sora Suegami (suegamisora@gmail.com, GitHub: sorasue77, Telegram: sorasue)
• Aditya Bisht (adityabisht64@gmail.com, GitHub: Bisht13, Telegram: Bisht13)

Created

2024-06-17

Abstract

This initiative proposes implementing a secure and efficient account recovery system using the Zk-Email SDK. The recovery method leverages guardian-based email verification, providing a reliable fallback for users who lose access to their accounts. The guide includes the entire setup, configuration, lifecycle management, and integration instructions for digital wallet applications. We will be EIP 7579 compatible, as well as work with legacy Gnosis Safes.

Proposal Details

Purpose and Background

The proposal aims to address the critical need for a reliable account recovery mechanism in digital wallet applications. Currently, users who lose access to their wallets face significant difficulties in recovery, leading to loss of funds and user dissatisfaction. This initiative uses guardian-based email verification, leveraging the Zk-Email SDK to create a secure and efficient recovery process, and allow users to use non-chain native users as guardians.

Edit: As of July, we have already created a working demo of an email recovery module for Safe 1.3 on Base Sepolia. You can follow the live demo at EthCC here. We've also begun an audit of our 7579-compatible module for Safe 1.4+ account recovery.

Effects and Impact Analysis

• Pros:
  • Provides a reliable recovery method, reducing the risk of permanent loss of assets
  • Lets users use non-chain-native users as recovery methods
  • Allows for very intuitive recovery process via email confirmations
  • Timelocks for 48 hours to avoid malicious fund stealing
  • Only relies on decentralized relayer infra with all MIT licensed OSS code, removing dependencies on zk email team
• Cons:
  • Requires trust in the DKIM keys of the users' email servers
• Risks:
  • Dependence on email service availability and security
  • Implementation complexities and potential bugs in the initial rollout

Alternative Solutions

Alternatives like MPC or centralized social recovery were considered. However, these were discarded due to their security risks.

Implementation

• The initiative requires new code development using ZK Email, for both circuits and smart contracts.
• Security of the code will be ensured through audits by Ackee in Month 1 and Zellic in Month 2, along with concurrent user testing.
• Deployment across all safes will be completed by Month 3.

For code, we are doing our own implementation but with funding (how much % to implementation: 100%) -- the implementation is finished as of July 2024 and is blocked on funding for audits.

Regarding requests for technical support through Safe matter experts, we are already in touch with the relevant experts.

• Who is needed? Wallet and 7579 folks.
• Did you reach out? Yes.
• Is there a roadmap? Yes, already communicated with them. Initial implementation complete and available to try at prove.email/recovery.

Funding Request

$50,000 USDC July Edit: The quote came back as $75,000 USDC, but due to community feedback we have kept the original $50K ask.

Upfront Funding

Ideally 100% in order to fund audit. Can do in installments of 50% as well.

Relation to Budget

The requested funding represents 25% of the total budget allocated for Strategy 4. It is also eligible for Strategy 5, and Strategy 2 only has 15K left so will not work.

Metrics and KPIs

• Number of wallets integrating the recovery system
• Number of successful account recoveries
• User satisfaction rating
• Security incidents reported

Timeline and Milestones

• Month 1: Finish code, Ackee audit
• Month 2: Testnet deployments, Zellic audit with concurrent user testing
• Month 3: Deployment across all safes

Initiative Lead

Aayush Gupta (aayushgupta5000@gmail.com, GitHub: Divide-By-0, Telegram: yush_g)

Note that the initiative in question asking for grants here is ZK Email, and PSE/EF are not associated with receiving or asking for any portion of the grant.

Team

• Aayush Gupta - Steward at ZK Email, has been working on the tech for 1.5 years
  • Email: aayushgupta5000@gmail.com
  • GitHub: Divide-By-0
  • Telegram: yush_g
  • Twitter: yush_g
• John Guilding - Lead Smart Contract Dev, working for last 3 months on ZK Email account recovery
  • Github: JohnGuilding
  • Twitter: john_guilding
• Sora Suegami - Cryptography Researcher on ZK Email, working on the tech for 1.5 years
  • Email: suegamisora@gmail.com
  • GitHub: sorasue77
  • Telegram: sorasue
• Aditya Bisht - Lead Engineer at ZK Email, has been working for 6 months
  • Email: adityabisht64@gmail.com
  • GitHub: Bisht13
  • Telegram: Bisht13

Additional Support/Resources

No additional non-financial resources are requested from the Safe Ecosystem Foundation or core contributors.

Implementation Dependencies

No governance changes.

Open Questions

• How will user adoption of the guardian-based recovery system be encouraged?
• How can we closer collaborate on making the user interface as natively integrated as possible?

Copyright

Copyright and related rights waived via CC0. Code open source with MIT license.