Worldcoin, a blockchain-based protocol, has recently undergone two separate security audits conducted by renowned audit firms Nethermind and Least Authority. The audits began in April 2023 and focused on various aspects of the Worldcoin protocol, including its cryptographic constructs, smart contracts, and resistance to potential attacks. The results of these audits have now been made public, demonstrating Worldcoin’s commitment to transparency and security.
Worldcoin’s protocol, which includes both off-chain and on-chain components, is based on Semaphore from the Ethereum PSE group. The protocol’s implementation, including its use of cryptographic constructs and smart contracts, is documented in the Worldcoin whitepaper.
The Scope of the Audits
The audits covered a broad range of areas, including the correctness of the implementation, common and case-specific implementation errors, adversarial actions, secure key storage, and resistance to DDoS attacks. Other focus areas included potential vulnerabilities leading to adversarial actions, protection against malicious attacks, performance issues, data privacy, and inappropriate permissions.
Nethermind’s audit focused on the protocol’s smart contracts, which include the World ID contracts, the World ID state bridge, the World ID example airdrop contracts, the Worldcoin tokens (WLD) grants contracts, and the WLD ERC-20 token contract and its associated vesting wallet. Of the 26 items that surfaced during this security assessment, 92.6% (24) were identified as fixed after the verification stage, while one was mitigated and the remaining one was acknowledged.
Least Authority, on the other hand, concentrated on the protocol’s use of cryptography. This included the Semaphore protocol and the enhancements made to scale the protocol in a more gas-efficient manner. The team identified three issues and offered six suggestions, all of which have either been resolved or have planned resolutions. The Least Authority report stated, “We found that the cryptographic component of the Worldcoin Protocol is generally well-designed and implemented.”
In some cases, items identified were due to the protocol’s dependencies on Semaphore and Ethereum, such as elliptic curve precompile support or Poseidon hash function configuration.
The Backstory of Worldcoin
Worldcoin first rose to prominence in 2021 when it announced that it would give away free tokens to any users who verify their humanness, which they could do by having their iris scanned by a device called an “Orb.” The project was co-founded by Sam Altman, the co-founder of AI developer OpenAI. At the time, Altman and other team members argued that AI bots would become an increasing problem on the internet if people didn’t find a way to verify their humanness without giving up their privacy. According to the protocol’s documentation, The Orb produces a hash of the user’s iris scan but does not keep a copy of the iris scan.
Controversies and Criticisms
Worldcoin initiated its public launch on July 25, after nearly two years of development and beta testing. But criticism of it erupted almost immediately. The United Kingdom’s Information Commissioner’s Office (ICO) reportedly said the government body was deciding whether to investigate the project for violating the country’s data protection laws. French data protection agency CNIL also questioned Worldcoin’s legality. The crypto community was divided over the project’s launch, with some participants seeing it as the start of a dystopian future where privacy would be eliminated. In contrast, others saw it as a necessary step towards protecting humans against malicious AIs.
Worldcoin aims to establish a proof of personhood that is decentralized, privacy-preserving, open-source, and accessible to everyone. The successful completion of these audits is a significant step towards achieving this goal, demonstrating the robustness and security of the Worldcoin protocol.