CertiK Discovers Serious Security Flaw in Worldcoin’s Code
Introduction
In late May, CertiK, a blockchain auditing firm, discovered a serious security flaw in Worldcoin’s code that would have allowed an unauthorized user to gain access and become an Orb operator, bypassing the stringent verification process.
The Flaw
With this flaw, CertiK adds, the intruder could have easily circumvented Worldcoin’s strict standards to set up to become an Orb operator.
Twitter Announcement
Rigorous Process
Becoming an Orb Operator is rigorous and includes identity verification, vetting interviews, and meeting specific company requirements. For example, a verified Orb operator must operate a local licensed company and have a team to add people, those who scan their iris, into the Worldcoin ecosystem. Orb operators are compensated in stablecoins or fiat.
Potential Consequences
If the flaw has gone unnoticed, individuals who are not properly identified or screened may be able to become orb operators and collect sensitive iris information from users.
Immediate Action
CertiK said that the Worldcoin security team acted immediately, validating the vulnerability and implementing a fix to eliminate the threat.
Security Audit Report
On July 28, Worldcoin published a comprehensive security audit report.
Under Scrutiny
The Worldcoin protocol has come under scrutiny from cybersecurity firms, Nethermind and Least Authority, which have identified several vulnerabilities.
Addressing Vulnerabilities
They analyzed vulnerable areas, developed strategies to protect against malicious business and attacks, and advised the implementation of defenses against malicious activity and exploitation.
The Nethermind audit, for example, revealed 26 protocol issues, most of which were successfully addressed during the verification process. The rest has been acknowledged and dealt with. On the other hand, the lesser authority identified three problems and proposed six solutions.
Commitment to Security
Worldcoin has worked hard, resolving or planning to address all identified issues in accordance with their commitment to maintaining a secure system.
Kenya Suspends Worldcoin Activities
This week, Kenya suspended all Worldcoin activities in the country. They want to investigate the risks to the public and how the data is being used.
Worldcoin, on the other hand, said it has suspended services in Kenya to manage high demand but will work with local officials to explain their privacy measures.
Expansion and Investigation
Despite this, Riccardo Massiera of Tools for Humanity, the group behind Worldcoin, said they will continue to expand where they are welcome.
Germany, France and the United Kingdom are investigating Worldcoin and determining if it complies with their databases.