Account Recovery
Social Recovery allows users to regain control of their accounts by replacing the owner key through a set of trusted Guardians, with a built-in time delay so owners can cancel unauthorized attempts.
The Candide Social Recovery Module accepts any Ethereum address as a guardian: family and friends' wallets, hardware wallets, institutions, or email/SMS cloud wallets.
How Recovery Works
Recovery replaces a lost or compromised owner key with a new one, authorized by a quorum of trusted guardians.
Guardians and Thresholds
The account owner chooses their guardians and sets a threshold: the minimum number of guardians required to approve a recovery. A typical setup is 3 guardians with a threshold of 2, ensuring no single guardian can take over the account.
Guardians can be any Ethereum address. They do not need to hold any funds, and they have no control over the account during normal operations.
The Recovery Flow
- A guardian (or the recovery service) submits a recovery request specifying new owner(s)
- Other guardians sign to approve the request until the threshold is met
- The recovery is executed, starting a grace period
- After the grace period, anyone can finalize the recovery to complete the ownership transfer
Grace Period
The grace period is a time delay between execution and finalization. It gives the current owner a window to cancel unauthorized recovery attempts. If the owner still controls the account, they can call cancelRecovery at any point during this period.
Privacy
Guardians are encouraged to use fresh Ethereum addresses. This keeps their identity private and prevents malicious guardians from coordinating against the owner. Since guardians never need to hold funds or submit on-chain transactions during normal operation, fresh addresses have no cost.
Recovery Methods
Both recovery methods can be used independently or combined. For maximum security, use both. For example, a 2-of-3 setup with two personal guardians and email/SMS recovery as the third.
| Personal Guardians | Email / SMS Recovery | |
|---|---|---|
| Guardian type | Users add their own guardians | Candide signs after email/SMS OTP |
| Key management | Required (guardian private keys) | Not required |
| Best for | Trusted contacts, hardware wallets | Consumer apps, users who prefer email/SMS |
| Setup guides | Add Guardian → Recovery Flow → Alerts | Enable Email/SMS → Recovery Flow |
Getting Started
Personal Guardians
Start with Add a Guardian, then follow the Recovery Flow Guide and Recovery Alerts Guide.
Email / SMS Recovery
Start with Enable Email / SMS Recovery, then follow the Recovery Flow guide.
Resources
- How it works: Making Accounts Recoverable
- Contracts, audits & formal verification: candide-contracts
- Deployment addresses: Social Recovery Module
- Recovery frontend (SafeCover): recovery.candide.dev (source)
- Recovery Service API: Safe Recovery Services
- SDK Reference: SocialRecoveryModule