Blockchain Security Firm CertiK Reveals Vulnerability in Worldcoin Protocol Allowing Unverified Orb Operator Access

Last updated:
Author
Ruholamin Haqshanas
Author Categories
About Author

Ruholamin Haqshanas is a contributing crypto writer for CryptoNews. He is a crypto and finance journalist with over four years of experience. Ruholamin has been featured in several high-profile crypto...

Last updated:
Why Trust Cryptonews
Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews
Source: Shutterstock

Blockchain security firm CertiK has disclosed a vulnerability in the Worldcoin protocol that allowed unauthorized access for an Orb operator. 

In a recent Twitter thread, CertiK explained that the vulnerability allowed anyone to bypass the verification requirements to become an Orb operator without meeting the necessary criteria, such as being a legitimate company or passing a vetting interview. 

“Through this security vulnerability, a malicious attacker could bypass the verification and strict participation criteria of the Worldcoin Operator acceptance process,” the company wrote. 

The usual process allows only legitimate businesses that pass strict identification verification to run an Orb operation, which collects users’ iris information. 

CertiK said it reported the issue to Worldcoin through a whitehat disclosure procedure, and the project’s security team quickly addressed the vulnerability with a fix.

“CertiK has since verified and confirmed that the fix mitigated the threat,” the company wrote.

Notably, CertiK’s disclosure comes just a week after Worldcoin released a report on security audits conducted by Nethermind and Least Authority. 

The audits covered various areas, including vulnerabilities in the code that could lead to adversarial actions and other attacks, as well as protection against malicious attacks and exploitation methods.

Nethermind’s audit identified 26 items during the security assessment, of which 24 were fixed after the verification stage, one was mitigated, and one was acknowledged.

On the other hand, Least Authority discovered three issues in the protocol and provided six suggestions, all of which have either been resolved or have planned resolutions, according to Worldcoin.

Worldcoin Faces More Issues Amid Kenya Suspension

Last week, Kenya’s Ministry of the Interior issued a decree suspending Worldcoin signup, citing concerns about its activities’ authenticity, legality, security, financial services, and data protection. 

In an official announcement, the ministry said relevant agencies had begun investigating the project.

“Relevant security, financial services and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities,” interior minister Kithure Kindiki said at the time.

Worldcoin, co-founded by OpenAI CEO Sam Altman and valued at over $2 billion, aims to create a “proof-of-personhood” network by registering verified humans through eyeball scans

The project has already received notable criticism since its debut. 

Since Worldcoin scans people’s irises and eyes to ensure that the crypto is distributed fairly, some have expressed privacy and security concerns. 

The collection of biometric data has also raised questions about how this sensitive information will be stored, protected, and potentially used.

Furthermore, some have questioned Worldcoin’s methods of obtaining consent. 

A 2022 investigation by MIT Review found that Worldcoin used deceptive marketing practices, collected more personal data than disclosed, and failed to obtain meaningful informed consent.

Just recently, it was revealed that European regulators, including the French National Commission on Informatics and Liberty (CNIL) and the Bavarian state authority in Germanyare collaborating with an investigation into the project. 

More Articles

Price Analysis
Is Bitcoin’s Supercycle Still Alive? Economist Says BTC Could Be Set for a Massive Surge
Arslan Butt
Arslan Butt
2025-02-12 10:33:11
Altcoin News
Goldman Sachs Ramps Up Ether ETF Holdings by 2,000% as Bitcoin ETF Stash Surpasses $1.5B in Q4 2024
Ruholamin Haqshanas
Ruholamin Haqshanas
2025-02-12 07:27:13
Crypto News in numbers
editors
Authors List + 66 More
2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors