[Draft][OBRA] ZK Email Account Recovery - ZK Email

[Discussion] Email-Based Account Recovery Initiative

Authors

Created

2024-06-17

Abstract

This initiative proposes implementing a secure and efficient account recovery system using the Zk-Email SDK. The recovery method leverages guardian-based email verification, providing a reliable fallback for users who lose access to their accounts. The guide includes the entire setup, configuration, lifecycle management, and integration instructions for digital wallet applications. We will be EIP 7579 compatible, as well as work with legacy Gnosis Safes.

Proposal Details

Purpose and Background

The proposal aims to address the critical need for a reliable account recovery mechanism in digital wallet applications. Currently, users who lose access to their wallets face significant difficulties in recovery, leading to loss of funds and user dissatisfaction. This initiative uses guardian-based email verification, leveraging the Zk-Email SDK to create a secure and efficient recovery process, and allow users to use non-chain native users as guardians.

Edit: As of July, we have already created a working demo of an email recovery module for Safe 1.3 on Base Sepolia. You can follow the live demo at EthCC here. We’ve also begun an audit of our 7579-compatible module for Safe 1.4+ account recovery.

Effects and Impact Analysis

  • Pros:
    • Provides a reliable recovery method, reducing the risk of permanent loss of assets
    • Lets users use non-chain-native users as recovery methods
    • Allows for very intuitive recovery process via email confirmations
    • Timelocks for 48 hours to avoid malicious fund stealing
    • Only relies on decentralized relayer infra with all MIT licensed OSS code, removing dependencies on zk email team
  • Cons:
    • Requires trust in the DKIM keys of the users’ email servers
  • Risks:
    • Dependence on email service availability and security
    • Implementation complexities and potential bugs in the initial rollout

Alternative Solutions

Alternatives like MPC or centralized social recovery were considered. However, these were discarded due to their security risks.

Implementation

  • The initiative requires new code development using ZK Email, for both circuits and smart contracts.
  • Security of the code will be ensured through audits by Ackee in Month 1 and Zellic in Month 2, along with concurrent user testing.
  • Deployment across all safes will be completed by Month 3.

For code, we are doing our own implementation but with funding (how much % to implementation: 100%) – the implementation is finished as of July 2024 and is blocked on funding for audits.

Regarding requests for technical support through Safe matter experts, we are already in touch with the relevant experts.

  • Who is needed? Wallet and 7579 folks.
  • Did you reach out? Yes.
  • Is there a roadmap? Yes, already communicated with them. Initial implementation complete and available to try at prove.email/recovery.

Funding Request

$50,000 USDC
July Edit: The quote has come back as $75,000 USDC.

Upfront Funding

Ideally 100% in order to fund audit. Can do in installments of 50% as well.

Relation to Budget

The requested funding represents 25% of the total budget allocated for Strategy 4.

Metrics and KPIs

  • Number of wallets integrating the recovery system
  • Number of successful account recoveries
  • User satisfaction rating
  • Security incidents reported

Timeline and Milestones

  • Month 1: Finish code, Ackee audit
  • Month 2: Testnet deployments, Zellic audit with concurrent user testing
  • Month 3: Deployment across all safes

Initiative Lead

Aayush Gupta (aayushgupta5000@gmail.com, GitHub: Divide-By-0, Telegram: yush_g)

Team

  • Aayush Gupta - Steward at ZK Email, has been working on the tech for 1.5 years
  • John Guilding - Lead Smart Contract Dev at PSE, working for last 3 months on ZK Email account recovery
  • Sora Suegami - Cryptography Researcher on ZK Email, working on the tech for 1.5 years
  • Aditya Bisht - Lead Engineer at ZK Email, has been working for 6 months

Additional Support/Resources

No additional non-financial resources are requested from the Safe Ecosystem Foundation or core contributors.

Implementation Dependencies

No governance changes.

Open Questions

  • How will user adoption of the guardian-based recovery system be encouraged?
  • How can we closer collaborate on making the user interface as natively integrated as possible?

Copyright

Copyright and related rights waived via CC0. Code open source with MIT license.

@amy.sg the proposal grant doc clearly says June 17 is the deadline, and in Hawaii timezone I submitted by the deadline. It would be preferable to have clarity around deadline time in the future.

Hi @yush_g thanks for the feedback.

We have it documented in our Governance Hub, with exact times per season laid out here, and as support, include it in our communication on each proposal in Phase 0 that is close to the deadline (as exemplified here), but will update and include it in the funding document as you recommended. For future note, we always go by UTC as we have a global community.

Let us know if you have any questions beforehand. Hope to see your proposal in the next cycle.

Got it. Do I have to make a new thread for the next sprint (Season 3, Sprint 2) by July 8, or can I reuse this one?

Hey @yush_g,

You can go ahead and submit this thread into Phase 1. I updated the tag for you.

Here is the timeline for the next sprint. It officially starts July 8th and you have until Monday, July 22nd at 23:59 UTC to get signal from at least 3 delegates/guardians with cumulative voting power of 60K (details outlined in our governance hub and as exemplified here).

Please note: there is no upfront funding available for requests greater than 10K

Welcome to Sprint 2 - We usually have Phase 1 proposals present at the Governance call which is next Wednesday, July 17th at 16:00 UTC. Can you make it? If so, please let me know and I will add you to the agenda.

Original: We should be able to have a representative there.
Edit: Yes, we attended the call.

Sounds good. I’ve added your team to this Wednesday’s agenda.

Please DM me here/Discord (@amy_safe) your email to add to the calendar invite or your team member can add directly to the calendar invite.

I am a Safe Guardian with sufficient voting power , and I believe this proposal is ready to move to a vote.

@yush_g Following up here. Please confirm if your team will be attending. Thank you!

Links from the governance call presentation:

3 Likes

Note that the updated audit quote to support both Safe 1.3 and 1.4+ is 75K, not 50K. We know the max for this round is $50K – it would be great to get a sense of if you expect there to be an extra $25K available from this round or other sources.

Hey @yush_g as mentioned in the governance call, here is the breakdown if all proposals make it:

Strategy 1: 100K left (No change/ None requested)
Strategy 2: 15K left (75K requested)
Strategy 3: 54.1K left (24K + 15.4K requested)
Strategy 4: 50k left (50K requested)
Strategy 5: 56K left (28K requested)
Wildcard: 50K left (50K* requested)

1 Like