[Draft] [OBRA]: ZK Email Account Recovery - ZK Email

[Discussion] Email-Based Account Recovery Initiative

Phase 0 Discussion Thread: [Draft][OBRA] ZK Email Account Recovery - ZK Email

Authors

• John Guilding (Github: JohnGuilding, Twitter: john_guilding)
• Aayush Gupta (aayushgupta5000@gmail.com, GitHub: Divide-By-0, Telegram: yush_g)
• Sora Suegami (suegamisora@gmail.com, GitHub: sorasue77, Telegram: sorasue)
• Aditya Bisht (adityabisht64@gmail.com, GitHub: Bisht13, Telegram: Bisht13)

Created

2024-06-17

Abstract

This initiative proposes implementing a secure and efficient account recovery system using the Zk-Email SDK. The recovery method leverages guardian-based email verification, providing a reliable fallback for users who lose access to their accounts. The guide includes the entire setup, configuration, lifecycle management, and integration instructions for digital wallet applications. We will be EIP 7579 compatible as well as work with legacy Gnosis Safes.

Proposal Details

Purpose and Background

The proposal aims to address the critical need for a reliable account recovery mechanism in digital wallet applications. Currently, users who lose access to their wallets face significant difficulties in recovery, leading to loss of funds and user dissatisfaction. This initiative uses guardian-based email verification, leveraging the Zk-Email SDK to create a secure and efficient recovery process, and allow users to use non-chain native users as guardians.

Effects and Impact Analysis

• Pros:
  • Provides a reliable recovery method, reducing the risk of permanent loss of assets
  • Lets users use non-chain-native users as recovery methods
  • Allows for very intuitive recovery process via email confirmations
  • Timelocks for 48 hours to avoid malicious fund stealing
  • Only relies on decentralized relayer infra with all MIT licensed OSS code, removing dependencies on zk email team
• Cons:
  • Requires trust in the DKIM keys of the users’ email servers
• Risks:
  • Dependence on email service availability and security
  • Implementation complexities and potential bugs in the initial rollout

Alternative Solutions

Alternatives like MPC or centralized social recovery were considered. However, these were discarded due to their security risks.

Implementation

• The initiative requires new code development with ZK Email and smart contracts.
• Security of the code will be ensured through audits by Ackee in Month 1 and Zellic in Month 2, along with concurrent user testing.
• Deployment across all safes will be completed by Month 3.

We are pursuing our own implementation but with Safe funding for the audit. (how much % to implementation: 100%).

We do not need additional technical support through Safe matter experts, as we have already established the necessary communication channels.

• Who is needed? Wallet and 7579 folks.
• Did you reach out? Yes.
• Is there a roadmap? Yes, already communicated with them. Initial implementation complete and available to try at prove.email/recovery.

Funding Request

$50,000 USDC

Also as a note, 50K only covers part of the audit cost but 75K would let us cover the full audit cost. Let us know if we should adjust this ask!

Upfront Funding

Ideally 100% in order to fund audit. Can do in installments of 50% as well.

Relation to Budget

The requested funding represents 25% of the total budget allocated for Strategy 4.

Metrics and KPIs

• Number of wallets integrating the recovery system
• Number of successful account recoveries
• User satisfaction rating
• Security incidents reported

Timeline and Milestones

• Month 1: Finish code, Ackee audit
• Month 2: Testnet deployments, Zellic audit with concurrent user testing
• Month 3: Deployment across all safes

Initiative Lead

Aayush Gupta (aayushgupta5000@gmail.com, GitHub: Divide-By-0, Telegram: yush_g)

Team

• Aayush Gupta - Steward at ZK Email, has been working on the tech for 1.5 years
  • Email: aayushgupta5000@gmail.com
  • GitHub: Divide-By-0
  • Telegram: yush_g
  • Twitter: yush_g
• Sora Suegami - Cryptography Researcher on ZK Email, working on the tech for 1.5 years
  • Email: suegamisora@gmail.com
  • GitHub: sorasue77
  • Telegram: sorasue
• Aditya Bisht - Lead Engineer at ZK Email, has been working for 6 months
  • Email: adityabisht64@gmail.com
  • GitHub: Bisht13
  • Telegram: Bisht13
• John Guilding - Lead Smart Contract Dev at PSE, working for last 3 months on ZK Email account recovery
  • Github: JohnGuilding
  • Twitter: john_guilding

Additional Support/Resources

No additional non-financial resources are requested from the Safe Ecosystem Foundation or core contributors.

Implementation Dependencies

The initiative requires updates to the current governance framework to incorporate guardian-based account recovery as a standard feature. Approval and implementation of these changes are prerequisites for funding.

Open Questions

• How will user adoption of the guardian-based recovery system be encouraged?
• How can we closer collaborate on making the user interface as natively integrated as possible?

Copyright

Copyright and related rights waived via CC0. Code open source with MIT license.

Unfortunately this proposal did not make the deadline, and will need to be submitted for the next sprint (Season 3, Sprint 2) on July 8. Closing this thread for now.