CertiK, a smart contract auditor, revealed that the operator verification process could have allowed unauthorized individuals to enter the system without a verified ID or even being a legitimate company.
Worldcoin is a project designed to establish the world’s largest identity and financial network as a public utility, ensuring ownership for everyone.
This is achieved through the World ID system, which serves as a privacy-focused global identity network. World ID allows users to verify their humanness online using “Proof of Personhood” while maintaining their privacy with zero-knowledge proofs.
To participate in the Worldcoin protocol, individuals need to download the World App, the first wallet app supporting the creation of a World ID.
To get their World ID Orb-verified, users visit a physical imaging device called the Orb, typically operated by independent local businesses known as Orb Operators.
CertiK said that an attacker could exploit the flaw in the Worldcoin protocol to bypass the verification process and operate an Orb without undergoing an interview or presenting proper identification.
This means that they could gain access to the system without any scrutiny, posing a significant security risk.
CertiK reported that WorldCoin’s Orb operation collects users’ iris information but only allows legitimate businesses to pass strict verification. A security vulnerability was discovered, and WorldCoin’s team issued a prompt fix.
Taking it further, the Kenyan government banned its citizens from being part of the project with legal actions leveled against offenders.