Why Zero-Knowledge Proofs Can't Save Your Old Identity

Projects like Sismo and Gitcoin Passport use ZKPs to attest to off-chain data, but the underlying attestations remain centralized and gameable. The proof is trustless, but the source data isn't.

• Key Problem: Oracles and attestors are centralized points of failure.
• Key Limitation: Sybil resistance depends on the quality of the input data, not the ZK circuit.

Even with a perfect ZK proof, verification requires a trusted setup or an active verifier network. Most current implementations rely on a single prover/verifier entity, recreating the very centralization ZK aims to solve.

• Key Problem: Ethereum's L1 is the only truly decentralized verifier, but its cost is prohibitive for frequent checks.
• Key Limitation: Projects like Worldcoin demonstrate the extreme hardware centralization required for scalable verification.

ZKP-based identity systems like zkBob or Aztec provide strong privacy but sacrifice composability. A fully private identity is a black box; it cannot be selectively disclosed to dApps without breaking its privacy model.

• Key Problem: DeFi and social graphs require selective disclosure, which ZKPs handle poorly at scale.
• Key Limitation: The UX is abysmal; managing proof generation for every interaction is a non-starter for mass adoption.

Storing even hashed or committed identity state on-chain (e.g., as a zk-SNARKed Merkle root) creates permanent, unprunable bloat. This contradicts the stateless client ethos and burdens the base layer.

• Key Problem: Every new user adds ~1KB of perpetual state to the global ledger.
• Key Limitation: Systems like Polygon ID must choose between on-chain verifiability and unsustainable state growth.

A ZK proof from one chain is not natively verifiable on another. Cross-chain identity requires a verifier bridge (like LayerZero or Axelar), adding another layer of trust and latency. This fragments the identity landscape.

• Key Problem: You trade centralized Web2 logins for centralized cross-chain messaging.
• Key Limitation: Proof standardization is nonexistent; each chain ecosystem reinvents its own ZK identity wheel.

ZKP generation is computationally expensive. Requiring users to pay gas fees to prove they are human or prove their credit score creates a massive adoption barrier. Proof subsidization by apps just shifts the cost to a centralized party.

• Key Problem: ~$0.10 - $1.00 cost per proof generation makes micro-interactions economically impossible.
• Key Limitation: This favors whales and bots who can absorb costs, defeating the purpose of fair identity systems.

Proof-of-Humanity and BrightID use social graphs to fight bots, but they're just recreating Web2's centralized attestation problem. ZKPs can hide your connections, but they can't decentralize the root of trust.

• Centralized Oracles: The 'human' verdict relies on a small group of validators or your Facebook friends.
• Unscalable Verification: Manual video verification doesn't scale to billions, creating a permissioned layer.
• Static Identity: A one-time attestation says nothing about ongoing behavior or reputation.

Vitalik's SBT concept enshrines immutable on-chain records, turning every youthful mistake into permanent, non-consensual reputation. ZKPs let you selectively disclose, but the underlying data is still hostage to the issuer.

• Non-Transferable, Non-Revocable: Creates rigid, unforgiving identity silos controlled by issuing entities.
• Data Provenance Gap: A ZK proof of an SBT doesn't prove the underlying claim is true, just that it was issued.
• Privacy Illusion: While you can hide specific SBTs, the mere act of holding/using them creates a persistent correlatable footprint.

The W3C standard is elegant but fails at the last mile of adoption. ZKPs can prove you have a credential from DMV.gov, but you still need DMV.gov to issue it. This replicates the KYC bottleneck with extra steps.

• Issuer Monopolies: Trust is centralized in legacy institutions (governments, universities).
• No Network Effects: Isolated credentials have limited composability; they don't form a usable on-chain persona.
• Costly Revocation: Maintaining real-time revocation lists (CRLs) negates the off-chain data benefits, requiring constant oracle checks.

Projects like Gitcoin Passport and Orange Protocol shift from static attestations to continuously updated reputation scores aggregated from multiple sources. ZKPs here prove a score threshold without revealing sources.

• Aggregated Trust: Dilutes the power of any single issuer, creating Sybil-resistance via plurality.
• Context-Specific: A developer reputation differs from a borrower's, enabled by ZK's selective disclosure.
• Programmable Utility: Scores can be used as gatekeepers for airdrops, governance, or lending on platforms like Aave GHO without exposing raw data.

Worldcoin and Idena use biometrics and continuous captchas to generate a cryptographic uniqueness proof. The ZKP here is the core product—proving you're human without revealing which human—creating a global, permissionless Sybil-resistance primitive.

• Decentralized Root: The biometric data (iris hash) is the decentralized root, not a corporation.
• One-Proof-Fits-All: A single proof can be reused across any application (e.g., Optimism's airdrop).
• Scalable Verification: The proof verification is cheap on-chain, unlike verifying the underlying biometric.

The future is Ethereum Attestation Service (EAS) and CyberConnect: a web of lightweight, revocable attestations about specific actions. ZKPs prove graph properties (e.g., 'trusted by 3 devs') without exposing the graph. This is identity as accumulated verifiable behavior.

• Composable & Portable: Attestations from Uniswap (liquidity provider), Aave (borrower), and ENS (long-term holder) combine into a rich persona.
• User-Centric: Users hold and curate their own graph, choosing which attestations to bundle into a ZK proof.
• Protocol-Native: The identity is built from on-chain activity, not imported from legacy systems.

A ZKP can only verify the consistency of the data you feed it. If your underlying identity system relies on centralized attestations or corruptible oracles, the proof is cryptographically sound but logically worthless.

• Key Insight: ZKPs verify computation, not truth. A proof of a Sybil attack is still a valid proof.
• Action for Builders: Architect systems with decentralized, attack-resistant data sources like EigenLayer AVS operators or Pyth price feeds for off-chain data.

Storing verified claims or identity graphs on-chain for universal composability creates permanent, often redundant, data bloat. Projects like ENS and Proof of Humanity face scaling and cost challenges.

• Key Metric: Storing a simple claim can cost ~$1-5 in gas and ~5-10KB of state bloat per user.
• Action for Investors: Favor protocols using zkRollups (like Starknet, zkSync) for state management or off-chain storage with on-chain verification (like Ceramic Network).

Full anonymity via ZKPs (e.g., Tornado Cash) breaks the social layer and compliance rails necessary for most mainstream applications. Pure privacy kills sybil resistance and legal interoperability.

• Key Tension: You cannot have fully private, fully accountable, and globally composable identity simultaneously.
• Action for Builders: Implement selective disclosure ZK schemes (like Sismo's ZK Badges) or privacy-preserving KYC (zkPass, Polygon ID) to navigate this trilemma.

The security of a ZK system depends on a trusted setup and a live, honest verifier. Centralized verifier services create a single point of failure and censorship, negating decentralization benefits.

• Key Risk: A malicious or coerced verifier can reject valid proofs, bricking the application.
• Action for Investors: Audit for verifier decentralization. Support projects using decentralized prover networks (Risc Zero, Succinct) or Ethereum's L1 as the ultimate verifier.

A ZK proof from one system (e.g., Worldcoin's proof of personhood) is not natively understood by another. Without standardized proof formats and schema registries, you create new walled gardens.

• Key Challenge: Each protocol implements its own circuit logic and verification keys, fragmenting the identity landscape.
• Action for Builders: Adopt emerging standards like EIP-712 for typed data, W3C Verifiable Credentials, or cross-chain attestation protocols (Hyperlane, Wormhole).

Generating ZKPs is computationally expensive. Requiring users to pay ~$0.10-$1.00 per proof for frequent actions (social logins, votes) is a non-starter for mass adoption.

• Key Cost: Proving time and cost scale with circuit complexity. A simple credential proof can take 2-10 seconds and cost significant gas.
• Action for Investors: Back teams innovating in proof aggregation (Nebra), parallel proving, or subsidized proof economies via account abstraction (ERC-4337) paymasters.