[Discussion] Email-Based Account Recovery Initiative
Phase 0 Discussion Thread: [Draft][OBRA] ZK Email Account Recovery - ZK Email
Authors
- John Guilding (Github: JohnGuilding, Twitter: john_guilding)
- Aayush Gupta (aayushgupta5000@gmail.com, GitHub: Divide-By-0, Telegram: yush_g)
- Sora Suegami (suegamisora@gmail.com, GitHub: sorasue77, Telegram: sorasue)
- Aditya Bisht (adityabisht64@gmail.com, GitHub: Bisht13, Telegram: Bisht13)
Created
2024-06-17
Abstract
This initiative proposes implementing a secure and efficient account recovery system using the Zk-Email SDK. The recovery method leverages guardian-based email verification, providing a reliable fallback for users who lose access to their accounts. The guide includes the entire setup, configuration, lifecycle management, and integration instructions for digital wallet applications. We will be EIP 7579 compatible as well as work with legacy Gnosis Safes.
Proposal Details
Purpose and Background
The proposal aims to address the critical need for a reliable account recovery mechanism in digital wallet applications. Currently, users who lose access to their wallets face significant difficulties in recovery, leading to loss of funds and user dissatisfaction. This initiative uses guardian-based email verification, leveraging the Zk-Email SDK to create a secure and efficient recovery process, and allow users to use non-chain native users as guardians.
Effects and Impact Analysis
- Pros:
- Provides a reliable recovery method, reducing the risk of permanent loss of assets
- Lets users use non-chain-native users as recovery methods
- Allows for very intuitive recovery process via email confirmations
- Timelocks for 48 hours to avoid malicious fund stealing
- Only relies on decentralized relayer infra with all MIT licensed OSS code, removing dependencies on zk email team
- Cons:
- Requires trust in the DKIM keys of the users’ email servers
- Risks:
- Dependence on email service availability and security
- Implementation complexities and potential bugs in the initial rollout
Alternative Solutions
Alternatives like MPC or centralized social recovery were considered. However, these were discarded due to their security risks.
Implementation
- The initiative requires new code development with ZK Email and smart contracts.
- Security of the code will be ensured through audits by Ackee in Month 1 and Zellic in Month 2, along with concurrent user testing.
- Deployment across all safes will be completed by Month 3.
We are pursuing our own implementation but with Safe funding for the audit. (how much % to implementation: 100%).
We do not need additional technical support through Safe matter experts, as we have already established the necessary communication channels.
- Who is needed? Wallet and 7579 folks.
- Did you reach out? Yes.
- Is there a roadmap? Yes, already communicated with them. Initial implementation complete and available to try at prove.email/recovery.
Funding Request
$50,000 USDC
Also as a note, 50K only covers part of the audit cost but 75K would let us cover the full audit cost. Let us know if we should adjust this ask!
Upfront Funding
Ideally 100% in order to fund audit. Can do in installments of 50% as well.
Relation to Budget
The requested funding represents 25% of the total budget allocated for Strategy 4.
Metrics and KPIs
- Number of wallets integrating the recovery system
- Number of successful account recoveries
- User satisfaction rating
- Security incidents reported
Timeline and Milestones
- Month 1: Finish code, Ackee audit
- Month 2: Testnet deployments, Zellic audit with concurrent user testing
- Month 3: Deployment across all safes
Initiative Lead
Aayush Gupta (aayushgupta5000@gmail.com, GitHub: Divide-By-0, Telegram: yush_g)
Team
- Aayush Gupta - Steward at ZK Email, has been working on the tech for 1.5 years
- Email: aayushgupta5000@gmail.com
- GitHub: Divide-By-0
- Telegram: yush_g
- Twitter: yush_g
- Sora Suegami - Cryptography Researcher on ZK Email, working on the tech for 1.5 years
- Email: suegamisora@gmail.com
- GitHub: sorasue77
- Telegram: sorasue
- Aditya Bisht - Lead Engineer at ZK Email, has been working for 6 months
- Email: adityabisht64@gmail.com
- GitHub: Bisht13
- Telegram: Bisht13
- John Guilding - Lead Smart Contract Dev at PSE, working for last 3 months on ZK Email account recovery
- Github: JohnGuilding
- Twitter: john_guilding
Additional Support/Resources
No additional non-financial resources are requested from the Safe Ecosystem Foundation or core contributors.
Implementation Dependencies
The initiative requires updates to the current governance framework to incorporate guardian-based account recovery as a standard feature. Approval and implementation of these changes are prerequisites for funding.
Open Questions
- How will user adoption of the guardian-based recovery system be encouraged?
- How can we closer collaborate on making the user interface as natively integrated as possible?
Copyright
Copyright and related rights waived via CC0. Code open source with MIT license.