According to PANews, Worldcoin, a cryptocurrency project co-founded by Sam Altman, has released an 'Orb Privacy and Security Audit Report' on its official blog. The audit was conducted by security experts Trail of Bits, who assessed the software beyond the typical security evaluation, focusing on a series of privacy and functionality statements related to Orb. The evaluation began on August 14, 2023, for a software version that was frozen on July 8, 2023, as SemVer 3.0.10. As of March 14, 2024, the current software version deployed to Orb is 4.0.34, first released on January 17, 2024.
The audit results showed that the software configuration in the default opt-out registration process does not leak any personally identifiable information (PII) other than the 'iris code'. It also recommended further strengthening the configuration to enhance security. For the non-default opt-in registration process, PII is asymmetrically encrypted and stored in Orb's SSD, and the encryption mechanism does not allow Orb to decrypt. The auditors did not find any known vulnerabilities or execution processes that would harm the project's objectives. Furthermore, the latest code no longer saves any data, regardless of whether the user chooses data hosting. The auditors confirmed that Orb does not extract additional data from user devices during the registration process and only processes the QR code information provided by the user. They also pointed out potential memory safety issues in the library scanning the QR code and have taken replacement measures to enhance security. In addition, the user's iris code is securely processed and is not saved in Orb's persistent storage. It is only sent to the backend in a single request and pointed out that 'although this configuration can be improved to enhance security (TOB-ORB-10), a typical attacker should not be able to extract the iris code from Orb's network traffic; the attacker must control one of the trusted certificates.'