Imagine that you need to send your EVM addresses to claim a hackathon price, how many times do you check if the address is right? Imagine that you are in a restaurant and want to transfer Your friend some ETH, how convenient is it to use his EVM address? Do you know it? Do You even know Your own EVM address? We think the answer is NO! Imagine that instead of using the EVM address, You can use the email address. You know your email address, and You also know Your friends' email addresses. It’s far more convenient and also more secure because It’s easier to see a typo in an email address than in an EVM address.
The idea became a reality, with MetaMail you can link Your email address to Your EVM address in a secure and convenient way, that everyone is familiar with. This way You can now receive and send crypto to an email address. Enjoy the future of Web3 Experience.
Our first idea was to add MetaMail to Metamask using snaps. Unfortunately, it turned out to be too limited for our use case. We still created some UI views on how it could look and function if it would be integrated into Metamask.
MetaMail consists of three layers:
Designing the solution we had to think about protection against email stealing, e.g. I shouldn’t be able to register Elon Musks' email to my EVM Address.
The user flow can be divided into two paths:
When a user wants to register his EVM email alias, he is asked to sign the hashed email, that he provided. Then an oracle is redirecting him to a Google OAuth2 authentication.
The oracle then gets’ the wallet signature and the email from the OAuth2 response, he then hashes the email, and calls the registerEmail function with the signature and the calculated hash on the register smart contract. The smart contract then calculates the signer(“owner”) of the signature with ecrecover using the email hash and registers the email hash to the signer as his new email alias. With this flow, it is impossible for a user to steal someone's email, because, the email hash is provided to the smart contract based on the OAuth response, and not the user's input. To successfully pass the OAuth flow you need to have the email credentials.
The current implementation of MetaMail has one problem, for now, we have only one single oracle. It is caused by the very limited time we had to implement everything. If the oracle would be compromised it would be possible to register someone else's email as Your EVM alias.
But the issue can be resolved by implementing a DON - Decentralised Oracle Network that would validate the OAuth authentication and the registration(see: ChainLink).