Audits

We have audited all of the code used in any zk-email mainnet deployments (zkp2p, email recovery). Contact us on t.me/zkemail if you are using any code that is not covered in these audits.

2024 zk-regex and zksync update by Matter Labs

We are currently completing an audit of our zk-regex rewrite and our Solidity zksync deployments. Expected end date is mid October.

2024 Ether Email Auth Audit by Zellic

We completed an audit with Zellic of our Ether Email Auth library in September 2024.

Fixes are merged on commit 38d9a4 on ether-email-auth.

875KB

ZK Email - Zellic Audit Report.pdf

pdf

2024 Account Recovery Smart Contract Audit by Ackee

We completed an audit of our smart contracts for Account Recovery in July 2024.

Fixes committed at 482d295 on email-recovery.

2MB

ackee-blockchain-zkemail-email-recovery-report.pdf

pdf

2024 Audit by zksecurity

We completed a second audit in May 2024 of all of our ZK circuits, including our latest ZK regex rewrite. The audit deemed that EmailVerifier was safe, but people using sub-components in custom circuits may require extra changes and validations. We have fixed all of the high/medium issues, and you can see the full report here and use the fixed circuits via using version 6.1.1 from npm.

Fixes committed at 95cd90 for zk-email-verify

Fixes committed at 5396ec for zk-regex

1MB

zk_email_zksecurity_audit.pdf

pdf

2023 Audit by Y Academy

We completed our first audit on the circom dependencies and helper templates in zk-email-verify. Below, you'll find a detailed PDF report of the findings. We've addressed each issue raised in the audit and have listed the corresponding PRs with each fix.

• Missing constraint for illegal characters: PR#103

• Incorrect use of division operation: PR#104

• Missing range checks for output signals: PR#104

• Missing constraints for a signal input: PR#104

• Missing constraints for output signals: PR#104

• Issue with value retrieval in the LongToShortNoEndCarry: PR#104

93KB

zkemail-audit.pdf

pdf