ZK Email has successfully completed 4 security audits by our top choice firms in the blockchain security space, including Matter Labs, Zellic, Ackee Blockchain, and ZKSecurity. These audits focused on all critical components of the protocol such as our zk-regex library, Circom circuits, Solidity smart contracts, and the account recovery system.

We have addressed all identified issues, implementing fixes in the latest releases of our repositories. With these upgrades deployed in December 2024, the ZK Email account recovery system is now ready for mainnet deployment, providing users with a secure and reliable way to recover their accounts using their email addresses.

Matter Labs Audit

Matter Labs audited our zk-regex rewrite and ZKsync Solidity contracts in October 2024. Their audit revealed:

• 3 Critical issues
• 3 High impact issues
• 6 Medium severity issues
• 5 Low severity issues

The audit focused on our account recovery functionality across multiple repositories, including Circom circuits, Solidity smart contracts, and the compiler. All critical and high severity issues have been addressed.

The following commits contain all fixes addressing the audit findings:

• Fixes committed at 9ed376 for zk-email-verify
• Fixes committed at 7002a2 for zk-regex
• Fixes committed at 984b59 for ether-email-auth
• Fixes committed at c866ec for email-recovery
• Fixes committed at a60eb9 for clave-email-recovery
• Fixes committed at 0327db for ic-dns-oracle

You can find the complete Matter Labs audit report here.

Zellic Audit

Zellic completed an audit of our ether-email-auth repository. This audit focused on the core functionality of our email authentication system. The audit revealed:

• 1 Critical issue
• 4 High impact issues
• 5 Low impact issues
• 2 Informational findings

We've addressed and fixed the critical vulnerability and all high impact issues identified in the Zellic audit:

• The critical maskedSubject attack vector and timestamp bug were fixed in email-tx-builder@1455cd2
• The email address and domain regexes were updated in zk-regex@f71b30b
• Additional fixes were made in email-tx-builder:
  • e84065d
  • 9deaf80
  • e449735
  • 0b21c2a
  • 4e2f119
  • b7fc2f6
• As well as in email-recovery@003123c
• And zk-email-verify@d718290

Additionally, we've resolved several low impact issues identified in the audit.

You can find the complete Zellic audit report here.

Ackee Blockchain Audit

Ackee Blockchain performed a thorough security review of our ZK Email protocol, focusing on the email recovery project. They reviewed commit 4e70316, examining contracts like EmailRecoveryManager, EmailRecoveryModule, UniversalEmailRecoveryModule, and related libraries and handlers.

The audit identified issues of varying severity:

• High: Vulnerabilities in recovery configuration and premature guardian updates
• Medium: Parameter check issues, DoS risks, selector collisions, arbitrary Safe recovery calls
• Low & Informational: Code quality, gas optimizations, potential ERC-4337 violations

We addressed the findings in two revisions:

• 88371b8
• 5b26a9a

For a detailed overview of the audit findings, you can access the full Ackee Blockchain Audit Report.

ZKSecurity Audit

ZKSecurity performed an audit of our circuits, focusing on the zk-email-verify library and the zk-regex compiler. Their audit covered:

• The implementation of the ZK proofs
• The security of the cryptographic primitives used
• The efficiency and optimization of the circuits
• The correctness and security of the regex compilation process

The audit revealed several important findings, including high-severity issues related to regex soundness, compiler immaturity, and vulnerabilities in SHA256 templates. Medium-severity issues were also identified, such as potential information leakage and undocumented template assumptions.

We've taken these findings seriously and are working diligently to address each issue. This includes refactoring code, improving documentation, our test suite, and implementing stricter constraints where necessary. These improvements will significantly enhance the security and reliability of our ZK Email system.

Through these audits, we've significantly improved the security and reliability of:

1. Our core email authentication system (email-tx-builder)
2. The zk-regex library, which is crucial for parsing and proving email content. Fixes were implemented in 95cd901 for zk-email-verify and 5396ec4 for zk-regex

You can find the complete ZKSecurity audit report here.

Ongoing Audits

Our security efforts continue with several ongoing audits:

ZK Email Noir Circuits: We're currently working with Aztec and OpenZeppelin to audit our Noir circuit implementations, which will add support for faster client side ZK Email proofs.

We'll share the results of these audits once they are complete. These audits represent our ongoing commitment to security as we expand the ZK Email ecosystem.

Conclusion

The successful completion of these audits by Matter Labs, Zellic, Ackee Blockchain, and ZKSecurity mark the production readiness of ZK Email. It reinforces our commitment to providing a secure and reliable system for the blockchain ecosystem, and we are excited to move from research into production.

We want to thank our auditors for their thorough work and our community for their continued support and trust in ZK Email.

For a detailed overview of the audit findings, you can access the full audit reports:

• Matter Labs Audit Report
• Zellic Audit Report
• Ackee Blockchain Audit Report
• ZKSecurity Audit Report

Thank you for your continued support and trust in ZK Email. We're excited about the future and the continued improvement of our technology.