On July 28, the Proof-of-Humanity protocol Worldcoin released its audit report conducted by security consultancy firms Nethermind and Least Authority. The report comes amidst mounting criticism of the project's data collection practices. Nethermind identified 2 6 security issues with the protocol, with 24 of them being acknowledged as fixed during the validation phase. One issue was mitigated, and another was confirmed. Similarly, Least Authority found three issues and made six recommendations, all of which have either been addressed or are planned to be addressed.
Worldcoin gained attention in 2021 when it announced its plan to provide free tokens to individuals who verified their identity by scanning their iris with a device called the "Orb." The project's co-founder, Sam Altman, believed that AI bots could become a significant problem on the internet if there were no reliable ways to verify humanity without compromising privacy. The Orb generates hashes of users' iris scans but does not retain copies of the scans. After nearly two years of development and beta testing, Worldcoin launched its public offer on July 25, but it faced immediate criticism. The UK's Information Commissioner's Office (ICO) is reportedly considering investigating the project for potential breaches of data protection laws. The French data protection agency,The National Commission for Informatics and Liberty, has also raised doubts about Worldcoin's legitimacy.
The launch of Worldcoin has divided the crypto community, with some seeing it as a concerning step towards a dystopian future where privacy is compromised. Others view it as a necessary measure to safeguard humanity from malicious AI. The audit report covers various security topics, including distributed denial-of-service attack resistance, specific implementation errors, key storage, encryption and signing management, data leakage, and information integrity. Some issues were attributed to dependencies on Semaphore and Ethereum, such as "elliptic curve precompiled support or Poseidon hash function configuration." The majority of the identified issues have been addressed, mitigated, or are planned to be fixed, except for one with an undetermined severity status listed as "Confirmed" at the time of validation.
