Merge pull request #8 from zkemail/blog-zellic-audit

blog: zellic audit

src/app/content/blogsContent/2fa.mdx

@@ -13,6 +13,7 @@ aliases:
   - /2fa
   - /posts/safe
   - /safe
+ogImage: "/blog-media/2fa/banner.png"
 ---
 
 #### Introduction

src/app/content/blogsContent/emailwallet.mdx

@@ -9,6 +9,7 @@ category: "1 hr read"
 tags: ["crypto", "zk"]
 description: "How we created a wallet to send any asset via email."
 math: true
+ogImage: "/blog-media/emailwallet/banner.png"
 ---
 
 *Special thanks to Saleel for writing the post, and Aayush and Sora for the review and suggestions.*

src/app/content/blogsContent/ethDenverNFT.mdx

@@ -8,6 +8,7 @@ slug: "ethDenverNFT"
 category: "2 minute read"
 tags: ["crypto", "zk"]
 description: "Use this guide to claim your EthDenver NFT using Email Wallet, learn how to send any NFT via emails, and integrate your own email-based NFTs into your app."
+ogImage: "/blog-media/ethDenverNFT/banner.png"
 ---
 
 Try out our collaboration with cursive and IYK at ETH Denver, where one click and one email confirmation will let you claim an exclusive NFT by interacting with different locations around the venue! Here's a simple guide to secure your digital collectibles just by using your email:

src/app/content/blogsContent/intro.mdx

@@ -8,6 +8,7 @@ slug: "intro"
 category: "5 min read"
 tags: ["intro"]
 description: "An quick introduction to our open source project, demos, and progress."
+ogImage: "/blog-media/intro/banner.png"
 ---
 
 Welcome to https://zk.email! ZK Email is an open source organization aiming to be the backbone of decentralized identity verification and new user onboarding on chain. We do not attest to users' information or identities, they directly attest and an open source zk verifier verifies it. We are non-custodial, as users are the only ones who can withdraw their funds from their account.

src/app/content/blogsContent/jwt.mdx

@@ -7,6 +7,7 @@ slug: "jwt"
 category: "30 min read"
 tags: ["jwt"]
 description: "Verifying sign-ins inside a ZK-SNARK."
+ogImage: "/blog-media/jwt/banner.png"
 ---
 
 by [Emma Guo](https://twitter.com/emguoz) and [Sehyun Chung](https://twitter.com/sehyunchung)

src/app/content/blogsContent/recovery.mdx

@@ -11,6 +11,7 @@ aliases:
   - /posts/7579
   - /posts/recovery
   - /7579
+ogImage: "/blog-media/recovery/banner.png"
 ---
 
 In crypto, the difficulty of managing seed phrases means account recovery is critical. Conventional methods of recovery, such as seed phrases and centralized recovery mechanisms, not only introduce friction for users but also pose security risks, undermining the decentralization of cryptocurrency. Smart account standards like ERC-4337 present promising new ways to avoid seed phrases like using secure element biometric signatures, but account recovery is still needed in the case of device loss or password reset. Currently, users are forced to only choose from crypto-native friends to be recovery signers, making broad adoption more difficult.

src/app/content/blogsContent/twitter.mdx

@@ -12,6 +12,7 @@ aliases:
   - /zkemail
   - /posts/tutorial
   - /tutorial
+ogImage: "/blog-media/twitter/banner.png"
 ---
 
 ## Introduction

src/app/content/blogsContent/zk.mdx

@@ -15,6 +15,7 @@ aliases:
   - /takes
   - /zk
 math: true
+ogImage: "/blog-media/zk/banner.png"
 ---
 
 {/* <!-- Uncomment the following lines when copying this to the hackmd: --> */}

src/app/content/blogsContent/zkemail-audits.mdx

@@ -0,0 +1,134 @@
+---
+title: "ZK Email Audits"
+date: 2024-12-23
+authors: ["ZK Email Team"]
+type: Post
+draft: false
+slug: "zkemail-audit"
+category: "5m read"
+tags: ["security", "audit", "zk-email", "ethereum", "blockchain security"]
+description: "ZK Email has completed multiple security audits by Matter Labs, Zellic, and Ackee Blockchain, ensuring the security and reliability of our protocol. All issues have been addressed in the latest releases, making our account recovery system ready for mainnet deployment."
+math: false
+ogImage: "/blog-media/zkemail-audit/banner.png"
+---
+
+ZK Email has successfully completed a series of security audits conducted by leading firms in the blockchain security space, including Matter Labs, Zellic, Ackee Blockchain, and ZKSecurity. These audits have thoroughly examined our protocol, focusing on critical components such as our zk-regex library, Circom circuits, Solidity smart contracts, and the account recovery system. 
+
+We have diligently addressed all identified issues, implementing fixes in the latest releases of our repositories. With these security enhancements in place, our ZK Email account recovery system is now ready for mainnet deployment, providing users with a secure and reliable way to recover their accounts using their email addresses.
+
+
+## Matter Labs Audit
+
+<img src="/blog-media/zkemail-audit/matterlabs-audit.webp" alt="Matter Labs Audit Report"/>
+
+Matter Labs audited our [zk-regex](https://github.com/zkemail/zk-regex) rewrite and ZKsync Solidity contracts in October 2024. Their audit revealed:
+
+- 3 Critical issues
+- 3 High impact issues  
+- 6 Medium severity issues
+- 5 Low severity issues
+
+The audit focused on our account recovery functionality across multiple repositories, including Circom circuits, Solidity smart contracts, and the compiler. All critical and high severity issues have been addressed.
+
+The following commits contain all fixes addressing the audit findings:
+
+- Fixes committed at [9ed376](https://github.com/zkemail/zk-email-verify/tree/9ed3769dc3d96fb0d7c45f1f014dcd9bfb63675b) for zk-email-verify
+- Fixes committed at [7002a2](https://github.com/zkemail/zk-regex/tree/7002a2179e076449b84e3e7e8ba94e88d0a2dc2f) for zk-regex
+- Fixes committed at [984b59](https://github.com/zkemail/ether-email-auth/tree/984b5919a9be715b743b08863ab6471c2b5356a6) for ether-email-auth
+- Fixes committed at [c866ec](https://github.com/zkemail/email-recovery/tree/c866ecb3dd326fe17850c61a9e38eb3db8a45695) for email-recovery
+- Fixes committed at [a60eb9](https://github.com/zkemail/clave-email-recovery/tree/a60eb9877f47f80459eefcf4639a350c96a43393) for clave-email-recovery
+- Fixes committed at [0327db](https://github.com/zkemail/ic-dns-oracle/tree/0327db9ac701a908139fcef2994cff8ed2d5533f) for ic-dns-oracle
+
+You can find the complete Matter Labs audit report [here](/blog-media/zkemail-audit/matterlabs-zkemail-audit-report.pdf).
+
+## Zellic Audit
+
+<img src="/blog-media/zkemail-audit/zellic-audit.png" alt="Zellic Audit Report"/>
+
+Zellic completed an audit of our [ether-email-auth](https://github.com/zkemail/ether-email-auth) repository. This audit focused on the core functionality of our email authentication system. The audit revealed:
+
+- 1 Critical issue 
+- 4 High impact issues
+- 5 Low impact issues
+- 2 Informational findings
+
+We've addressed and fixed the critical vulnerability and all high impact issues identified in the Zellic audit:
+
+- The critical maskedSubject attack vector and timestamp bug were fixed in [email-tx-builder@1455cd2](https://github.com/zkemail/email-tx-builder/commit/1455cd221dcb0849190879911688152669e4ed36)
+- The email address and domain regexes were updated in [zk-regex@f71b30b](https://github.com/zkemail/zk-regex/pull/68/commits/f71b30bde3fc2a2ba79fe151711552882ea4e707)
+- Additional fixes were made in email-tx-builder:
+  - [e84065d](https://github.com/zkemail/email-tx-builder/commit/e84065db4fa087b8d6152bb9682de71f6676e3ff)
+  - [9deaf80](https://github.com/zkemail/email-tx-builder/commit/9deaf80435502c4d9c1a77465a0e8195f749e63d) 
+  - [e449735](https://github.com/zkemail/email-tx-builder/commit/e449735740247b65cf13920e5b5d787893b72c5e)
+  - [0b21c2a](https://github.com/zkemail/email-tx-builder/commit/0b21c2a4ea30395d92288511553c183ee0f9176c)
+  - [4e2f119](https://github.com/zkemail/email-tx-builder/commit/4e2f119a428b694c1115e59dc52cfbe278c0e494)
+  - [b7fc2f6](https://github.com/zkemail/email-tx-builder/commit/b7fc2f6fc27084bc9662403deb699c8d7aab7948)
+- As well as in [email-recovery@003123c](https://github.com/zkemail/email-recovery/commit/003123cb35fb26e993a5015c2d4069e8a40d4abd)  
+- And [zk-email-verify@d718290](https://github.com/zkemail/zk-email-verify/commit/d718290d661e0ec9519a67a1dfa6bf764a9cf322)
+
+Additionally, we've resolved several low impact issues identified in the audit.
+
+You can find the complete Zellic audit report [here](/blog-media/zkemail-audit/zellic-audit-report.pdf).
+
+## Ackee Blockchain Audit
+
+![Ackee Audit Report](/blog-media/zkemail-audit/ackee-audit.png)
+
+Ackee Blockchain performed a thorough security review of our ZK Email protocol, focusing on the [email recovery](https://github.com/zkemail/email-recovery) project. They reviewed commit [4e70316](https://github.com/zkemail/email-recovery/commit/4e7031693d8e97cfcbc42b7d063a748a0a53b952), examining contracts like [EmailRecoveryManager](https://github.com/zkemail/email-recovery/blob/main/src/EmailRecoveryManager.sol), [EmailRecoveryModule](https://github.com/zkemail/email-recovery/blob/main/src/modules/EmailRecoveryModule.sol), [UniversalEmailRecoveryModule](https://github.com/zkemail/email-recovery/blob/main/src/modules/UniversalEmailRecoveryModule.sol), and related libraries and handlers.
+
+The audit identified issues of varying severity:
+
+- High: Vulnerabilities in recovery configuration and premature guardian updates
+- Medium: Parameter check issues, DoS risks, selector collisions, arbitrary Safe recovery calls
+- Low & Informational: Code quality, gas optimizations, potential ERC-4337 violations
+
+We addressed the findings in two revisions: 
+- [88371b8](https://github.com/zkemail/email-recovery/commit/88371b81a3dd4347dac8f2a5690c1434e86ff55f) 
+- [5b26a9a](https://github.com/zkemail/email-recovery/commit/5b26a9ade08257ccfcba14fe675f5343e306aa57)
+
+For a detailed overview of the audit findings, you can access the full [Ackee Blockchain Audit Report](/blog-media/zkemail-audit/ackee-blockchain-zkemail-email-recovery-report.pdf).
+
+## ZKSecurity Audit
+
+<img src="/blog-media/zkemail-audit/zksecurity-audit.png" alt="ZKSecurity Audit Report"/>
+
+ZKSecurity performed an audit of our circuits, focusing on the [zk-email-verify](https://github.com/zkemail/zk-email-verify) library and the [zk-regex](https://github.com/zkemail/zk-regex) compiler. Their audit covered:
+
+- The implementation of the ZK proofs
+- The security of the cryptographic primitives used
+- The efficiency and optimization of the circuits
+- The correctness and security of the regex compilation process
+
+The audit revealed several important findings, including high-severity issues related to regex soundness, compiler immaturity, and vulnerabilities in SHA256 templates. Medium-severity issues were also identified, such as potential information leakage and undocumented template assumptions.
+
+We've taken these findings seriously and are working diligently to address each issue. This includes refactoring code, improving documentation, our test suite, and implementing stricter constraints where necessary. These improvements will significantly enhance the security and reliability of our ZK Email system.
+
+Through these audits, we've significantly improved the security and reliability of:
+
+1. Our core email authentication system ([email-tx-builder](https://github.com/zkemail/email-tx-builder/))
+2. The [zk-regex](https://github.com/zkemail/zk-regex) library, which is crucial for parsing and proving email content. Fixes were implemented in [95cd901](https://github.com/zkemail/zk-email-verify/commit/95cd901f915f18b0fd142098bbac4e6e19c58c79) for zk-email-verify and [5396ec4](https://github.com/zkemail/zk-regex/commit/5396ec44cdf6a4579662b9442fc11210049ab520) for zk-regex
+
+You can find the complete ZKSecurity audit report [here](/blog-media/zkemail-audit/zksecurity-audit-report.pdf).
+
+## Ongoing Audits
+
+Our security efforts continue with several ongoing audits:
+
+**ZK Email Noir Circuits**: We're currently having our Noir circuit implementations audited, which will add support for client side ZK Email proofs.
+
+We'll share the results of these audits once they are complete. These audits represent our ongoing commitment to security as we expand the ZK Email ecosystem.
+
+## Conclusion
+
+The successful completion of these audits by Matter Labs, Zellic, Ackee Blockchain, and ZKSecurity marks a significant milestone for ZK Email. It reinforces our commitment to providing a secure and reliable authentication system for the blockchain ecosystem.
+
+We want to thank our auditors for their thorough work and our community for their continued support and trust in ZK Email.
+
+For a detailed overview of the audit findings, you can access the full audit reports:
+
+- [Matter Labs Audit Report](/blog-media/zkemail-audit/matterlabs-zkemail-audit-report.pdf)
+- [Zellic Audit Report](/blog-media/zkemail-audit/zellic-audit-report.pdf)
+- [Ackee Blockchain Audit Report](/blog-media/zkemail-audit/ackee-audit-report.pdf)
+- [ZKSecurity Audit Report](/blog-media/zkemail-audit/zksecurity-audit-report.pdf)
+
+Thank you for your continued support and trust in ZK Email. We're excited about the future and the continued improvement of our technology.

src/app/content/blogsContent/zkemail.mdx

@@ -12,6 +12,7 @@ description: "Programmable provenance via server-free email verification on chai
 aliases:
   - /posts/zkemail
   - /zkemail
+ogImage: "/blog-media/zkemail/banner.png"
 ---
 
 {/* <!-- [TOC] --> */}

src/app/content/blogsContent/zkregex.mdx

@@ -14,6 +14,7 @@ aliases:
   - /zkregex
   - /posts/regex
   - /regex
+ogImage: "/blog-media/zkregex/banner.png"
 ---
 
 ZK Regex is a powerful tool to be able to general string parsing with ZK. We use it as the primary way to parse data out of emails to prove on-chain.

src/lib/index.js

@@ -119,6 +119,8 @@ export const getAllPostsMeta = async () => {
     posts.push(meta);
   }
 
+  await posts.sort((a, b) => new Date(b.date) - new Date(a.date));
+
   return posts;
 };