Serious Worldcoin Bug: Anybody Could Assume Orb Operator Role

Crypto security firm CertiK recently discovered a vulnerability in the Worldcoin protocol that allowed attackers to bypass the verification process and become an Orb operators without meeting the necessary requirements.

Serious Worldcoin Bug: Anybody Could Assume Orb Operator Role

The vulnerability would have permitted anyone to become a Worldcoin Orb operator without being a legitimate company, undergoing proper ID verification, or passing a vetting interview. CertiK reported the issue to Worldcoin through standard whitehat disclosure, and the project’s security team promptly confirmed the vulnerability and issued a fix. CertiK verified that the fix effectively mitigated the threat. They plan to disclose the details of the finding and how the vulnerability was addressed in the future.

In a normal case, only legit businesses that pass the Worldcoin’s strict identification verification process can run an Orb operation, which collects user’s iris information.

CertiK

Interestingly, CertiK’s revelation came just a week after Worldcoin released a report on security audits conducted by Nethermind and Least Authority. The Nethermind audit found 26 items during the assessment, 24 of which were fixed after verification, one was mitigated, and one was acknowledged. Least Authority identified three issues and provided six suggestions, all of which have been resolved or have planned resolutions, according to Worldcoin.

As of now, both CertiK and Worldcoin have not responded to Decrypt’s requests for comment on the matter.