Proof of humanity protocol Worldcoin released its audit reports on July 28 as criticism of its data collection practices continues to mount. The new reports were conducted by security consulting firms Nethermind and Least Authority.
According to an accompanying announcement from Worldcoin, Nethermind found 26 security issues with the protocol, of which 24 were “identified as fixed” during the verification phase while one was mitigated and another was acknowledged.
Least Authority discovered three issues and made six suggestions, all of which “have been resolved or have planned resolutions,” the announcement stated.
— Worldcoin (@worldcoin) July 28, 2023
Worldcoin first rose to prominence in 2021 when it announced that it would give away free tokens to any users who verify their humanness, which they could do by having their iris scanned by a device called an “Orb.” The project was co-founded by Sam Altman, the co-founder of AI developer OpenAI.
At the time, Altman and other team members argued that AI bots would become an increasing problem on the internet if people didn’t find a way to verify their humanness without giving up their privacy. According to the protocol’s documentation, The Orb produces a hash of the user’s iris scan but does not keep a copy of the iris scan.
Worldcoin initiated its public launch on July 25, after nearly two years of development and beta testing. But criticism of it erupted almost immediately. The United Kingdom’s Information Commissioner’s Office (ICO) reportedly said the government body was deciding whether to investigate the project for violating the country’s data protection laws. French data protection agency CNIL also questioned Worldcoin’s legality.
The crypto community was divided over the project’s launch, with some participants seeing it as the start of a dystopian future where privacy would be eliminated. In contrast, others saw it as a necessary step towards protecting humans against malicious AIs.
The new audit reports cover a wide variety of security topics, including resistance to DDoS attacks, case-specific implementation errors, key storage and proper management of encryption and signing of keys, data leaking and information integrity, and others. Some issues found were the result of dependencies on Semaphore and Ethereum, including “elliptic curve precompile support or Poseidon hash function configuration,” the announcement stated.
All issues except one were fixed, mitigated, or have planned fixes. The one security issue that was not fixed by the time of verification has a severity of “undetermined” and is listed as “acknowledged.”