Worldcoin, a blockchain-based protocol that integrates both off-chain and on-chain components, a proof of humanity protocol co-founded by Sam Altman of OpenAI, recently underwent two separate security audits. The audits were conducted by Nethermind and Least Authority, two reputable audit firms, beginning in April 2023. The protocol’s implementation, which includes its use of cryptographic constructs and smart contracts, is detailed in the Worldcoin whitepaper.
Worldcoin publicly launched on July 25, 2023, with the token WLD listed on mainstream crypto exchanges including Binance and Okex. However, the launch was met with immediate criticism. The French data protection agency, CNIL, questioned the legality of Worldcoin. The United Kingdom’s Information Commissioner’s Office (ICO) considered investigating the project for potential violations of the country’s data protection laws.
The audits covered a wide range of areas, including the correctness of the implementation, potential implementation errors, adversarial actions, secure key storage, resistance to DDoS attacks, vulnerabilities in the code, protection against malicious attacks, performance issues, data privacy, and inappropriate permissions.
Nethermind focused on the protocol’s smart contracts, which include the World ID contracts, the World ID state bridge, the World ID example airdrop contracts, the Worldcoin tokens (WLD) grants contracts, and the WLD ERC-20 token contract and its associated vesting wallet. Out of the 26 items identified during this security assessment, 24 (92.6%) were fixed after the verification stage, one was mitigated, and the remaining one was acknowledged.
Least Authority, on the other hand, concentrated on the protocol’s use of cryptography, including its use of the Semaphore protocol and the enhancements made to scale the protocol in a more gas-efficient manner. These include the protocol’s cryptographic design and implementation, the Rust implementation of the semaphore protocol, and the Go implementation of the Semaphore Merkle Tree Batcher (SMTB). The team identified three issues and offered six suggestions, all of which have either been resolved or have planned resolutions.
In their report, Least Authority stated, “We found that the cryptographic component of the Worldcoin Protocol is generally well-designed and implemented.”
Some of the items identified during the audits were due to the protocol’s dependencies on Semaphore and Ethereum, such as elliptic curve precompile support or Poseidon hash function configuration.
Worldcoin aims to establish a proof of personhood that is decentralized, privacy-preserving, open-source, and accessible to everyone. For more information about the project, the Worldcoin whitepaper and related documents are available for review.
Image source: Shutterstock