zkSocialRecovery icon indicating copy to clipboard operation
zkSocialRecovery copied to clipboard

Published 20 hours ago verified publisher icon thomas-waite

Clarification questions

Open cankisagun opened this issue 4 years ago • 1 comments

Hey guys - congrats on the amazing hack and win!

I have a question regarding the project and smart contract based social recovery in general. I see that you've mentioned Argent stores the address of the guardian / recovery contact on chain in plain-text and it's a privacy issue.

My first question is about social recovery - guardian addresses are stored on chain. When I ask a guardian to restore my wallet, what exactly happens on chain? I am guessing there's a transaction by the guardian and something is checked against the argent contract. If you can help me understand it - i'd really appreciate it.

If my understanding is correct, you are replacing that plain-text signature match, with a ZK proof?

Thank you

cankisagun avatar Mar 13 '20 20:03 cankisagun

Hi @cankisagun thanks for the congratulations and follow up questions! It was a fantastic weekend, smart contract wallets are great technology and projects.

How social recovery currently works At the moment a smart contract wallet user would typically first nominate another Ethereum address to be their guardian. This is done by calling a method on the user's smart contract wallet, addGuardian(), and passing the Ethereum address of the guardian.

This guardian address is then placed into storage on chain.

When the user asks a guardian to restore access to their wallet, the guardian would provide a signature which was then validated by the users smart contract wallet. If the recovered signer is the stored guardian, the recovery process goes ahead.

This hack This process could be adapted adapted so that when you add a guardian, the user instead uploads the hash of the guardian's address rather than the plaintext address.

When the recovery procedure is later initiated by a candidate guardian, the candidate guardian provides a zk proof rather than a signature. The proof proves that they know the preimage to the guardian hash stored on chain (that they know the address which when hashed gives the stored hash). If the proof is validated, the recovery goes ahead.

The idea is that only a legitimate guardian will know that they are acting as a guardian on the users behalf, and so only they will know that their address is the preimage to the hash. Therefore, only a legitimate guardian can construct a proof that will be successfully validated.

Next steps Hope that helps!

We're going to be updating the README to flesh out the details of the project and it's current limitations over the next few days. Let us know if you have any more questions! :)

thomas-waite avatar Mar 14 '20 22:03 thomas-waite