On July 28, Worldcoin has audit reports released in response to increasing criticism of their data collection practices. These recent reports were prepared by the security consulting firms ‘Nethermind’ and ‘Least Authority’.
26 security vulnerabilities found
According to an accompanying announcement from Worldcoin, Nethermind discovered a total of 26 security vulnerabilities in the protocol. Of these, 24 issues were identified as “resolved” during the verification phase, while one issue was actually resolved. Another was recognized bringing the total to 26.
Least Authority highlighted 3 issues and made 6 suggestions for improvement, all of which were stated as “already resolved or with planned fixes,” the announcement said.
First announced in 2021
In 2021, Worldcoin first came into the limelight when it announced it would be giving away free tokens to users who would verify their humanity. This verification was accomplished by having their iris scanned using a device known as “The Orb.” The project was co-founded by Sam Altman, the co-founder of AI developer OpenAI.
At the time, Altman and other team members emphasized that AI bots would be a growing problem on the internet unless there was a way for people to verify their humanity without giving up their privacy. According to the protocol’s documentation, The Orb generates a hash of the user’s iris scan, but does not keep a copy of the actual iris scan.
Last July 25th, Worldcoin officially went live after nearly 2 years of development and beta testing, but the project faced criticism almost immediately. According to reports, the UK’s Information Commissioner’s Office (ICO) was in the process of deciding a possible investigation into the project for alleged breaches of the country’s data protection laws. The French data protection agency CNIL also questioned the legality of Worldcoin.
The launch of the project divided the crypto community, with some participants seeing it as the beginning of a dystopian future where privacy would disappear, while others saw it as a necessary step to protect humans from malicious AIs.
In response to the criticism, Worldcoin has now presented new audit reports covering various security topics, including resistance to DDoS attacks, implementation failures in specific cases, proper storage and management of encryption and key signing, data leaks and information integrity, and other aspects. Some of the identified issues were due to dependencies on Semaphore and Ethereum, such as “support for elliptic curve precompilation or Poseidon hash function configuration” as stated in the announcement.
Almost all problems have now been solved, remedied or there are plans for solutions. The one security issue that was not resolved at the time of verification is classified as “undetermined” in terms of severity and listed as “acknowledged”.