We're excited to announce that Self Protocol has successfully completed a security audit conducted by zkSecurity. This step was crucial in ensuring the security of the deployment of Self protocol initiated in February, and pave the way for its next improvements.

Why this audit

Self aims to break the deadlock applications face in identity verification. Currently, they have to choose between obsolete and intrusive KYC solutions that are vulnerable to deepfakes, and soft spam prevention mechanisms that don’t provide compliance and let token distributions be heavily targeted by bots.

To ensure Self addresses those issues and paves the way for reliable and privacy-preserving identity verification, we had to ensure two core features:

• Security: Attackers shouldn’t be able to register in Self without the proper identity documents.

• Privacy: Personal information should remain in the user’s control and never be stored or exposed.

About this audit

For three weeks, auditors from zkSecurity reviewed and tested our code, while our team addressed their recommendations. It focused on three key components of our protocol:

1. Core Cryptographic Dependencies: Including changes to RSA libraries, RSA-PSS implementation, and ECDSA implementation.

2. Protocol Circuits and Smart Contracts: The main circuits of Self, that prove passport authenticity and allow for selective disclosure.

3. Proof Delegation via Trusted Execution Environments (TEEs): The logic for delegating user proofs to Secure Hardware Enclaves.

The full audit report is available here.

What's Next

With this successful audit, Self Protocol continues its mission to provide essential infrastructure for verifying human identity while preserving individual privacy. It clears the path for future upgrades like support for active authentication, face matching, and support for new identity documents.

To learn more about Self Protocol or to integrate our SDK, visit docs.self.xyz.