Security risk in operator onboarding for Worldcoin's Orb: CertiK

By: Michael Wilson

Security risk in operator onboarding for Worldcoin's Orb: CertiK

August 5, 2023 9:09 AM

The smart contract auditor discovered that operator verification might have allowed users to log in even without having a confirmed ID or being a business.


CertiK revealed on X (previously known as Twitter) that the contentious Worldcoin project has a severe security issue. Worldcoin pays users to join its World ID network by uploading scans capturing their irises using a gadget known as an Orb. 


CertiK, a security platform, claims that a flaw in the operator vetting procedure might have authorized an attacker to control an Orb without having been interviewed or providing identification. "It wasn't necessary to be a company," according to the tweet.

 


The vulnerability had been disclosed by CertiK to the Worldcoin (WLD) security team as part of "standard whitehat disclosure," and it has since been patched, the company stated. The emergence of the vulnerability might stoke the global debate→ about the project's security and confidential information use.


OpenAI creator Sam Altman's goal with this project is to help the World App wallet by eliminating bots, but critics have already called it unethical and a "dystopian nightmare." The project is a closed source. Regulators have also been wary.


The project's success is dependent on widespread adoption. Millions of people worldwide have flocked to the option of selling their retinal records for roughly $50. Observers assume that the project did not receive the assistance it hoped for, yet the project's momentum has not faded.

 

Related: OpenAI shuts off its AI detector due to its poor accuracy


The issue, according to the spokesman, "could allow a hacker to set up an inactive Operator account." The issue failed to enable anyone to avoid the manual review process for obtaining an Operator account, and it never provided access to Orbs or data. Within 24 hours of receiving information from CertiK, the Worldcoin security team accepted and resolved the issue, and confirmed that it had not been exploited."


In mid-July, the company claimed to be generating 400,000 new users every week, and that number has since climbed to over 545,000 at the time of writing, for a total of over 2,188,000. almost the last seven days, it reported a daily average of almost 193,000 wallet transactions.


Additionally, according to the website, 2,000 orbs have been created and 366 of those have been functional in the previous week.