Worldcoin's whitepaper states that Worldcoin aims to build a new digital economic system that connects people globally, initiated by OpenAI founder Sam Altman in 2020. It seeks to create a fairer, more open, and inclusive economic system in the Web 3 world through blockchain technology, empowering everyone with ownership. It also aims to ensure a basic living guarantee for every person worldwide, improve universal basic income, and embrace a future of shared prosperity. On July 24, 2023, Sam announced the official launch of Worldcoin on the Twitter social platform.
1. Worldcoin fundamentals
1.1 Business Model
Worldcoin consists of three components: Global Digital Identity (World ID), Global Digital Cryptocurrency (WLD), and a wallet (World App) that can carry and utilize World ID and WLD. In addition, through blockchain technology, Worldcoin will support the development of smart contracts and decentralized applications (DApps).
In June 2021, Worldcoin was first publicly announced and completed a $25 million financing round, with investors including a16z, Coinbase Ventures, LinkedIn founder Reid Hoffman, and Day One Ventures. In May 2023, Worldcoin completed a $115 million Series C financing round, led by Blockchain Capital, with participation from a16z, Bain Capital Crypto, and Distributed Global, reaching a valuation of $3 billion.
Worldcoin revolves around the narrative of the World ID identity recognition system built on biometric technology. Users can obtain their World ID by scanning their irises with the biometric device Orb to prove their identity. Worldcoin claims to protect user privacy through zero-knowledge proof. In recent years, the rapid development of artificial intelligence has raised concerns about being replaced by AI. Therefore, authentic and unique human identity verification has become a crucial issue. Worldcoin presents a concept called "Proof of Personhood" (PoP), which utilizes the biometric device Orb to verify users' biological information through iris scanning and ensures participants' privacy through zero-knowledge proof. This offers a solution to distinguish between humans and AI for the future of humanity.
In the whitepaper, World ID is defined as the digital identity passport for encrypted economy. Currently, global interactions in the digital economy are challenging to achieve. Worldcoin aims to enable everyone worldwide to obtain a World ID at any time and participate in the global digital economy and digital governance. If successful in the future, Worldcoin participants can possess and directly manage digital currencies, enabling instant and borderless fund transfers without the need for third-party institutions. In urgent situations, such as during the previous Ukrainian refugee crisis, direct assistance can be provided through digital currency USDC, which has a profound impact on cross-border financial transactions and greatly improves transaction efficiency.
1.2 Technical Implementation
1.2.1 How to Register World ID
Figure 1 Core components and interaction flow of the Worldcoin ecosystem
Users want to obtain a World ID. Figure 1 involves the following steps:
Download the World App
Locate the nearest operator to obtain the biometric hardware Orb
Use Orb to capture iris images. Orb device confirms that the person is human and unique. Convert the iris image into a hash value (iris code) using neural networks, and send it to the registration server
The uniqueness service verifies that this code is different enough from previous codes and sends the identity commitment to the signup sequencer
The sequencer server inserts the public key of the user's identity proof onto the Merkle tree on the Ethereum mainnet
The user obtains one and only one World ID
In summary, the user scans the iris through Orb, and Orb and the World App program verify that the user is a real person and that the iris code is different from all other system users. A unique key is placed on the list. The user obtains a World ID as an identity authentication in the Worldcoin ecosystem. However, if the user is a robot, no key can be placed on the list, and therefore, no World ID can be obtained.
1.2.2 Orb
In order to effectively distinguish between real humans and virtual individuals or AI users, the Worldcoin iris biometric technology requires a hardware device called Orb, which is composed of two hemispheres and has two core technologies: iris image capture and processing system. It collects the user's iris and achieves identity verification as a means of biometric recognition.
Worldcoin states that, in order to ensure users' privacy and security, Worldcoin mainly processes data in the following two aspects: the scanned iris image will run the algorithm for computing the iris code locally on Orb, and then it will be deleted. Then, the participant's iris code is outputted. This code will not be associated with any user information or linked to the user's encrypted wallet (Ethereum wallet). In addition, Worldcoin allows participants to permanently delete raw biometric data (iris images) to protect users' privacy and data security.
It is worth noting that the Orb iris scanning identity authentication has exposed some hidden dangers in practical operation and promotion. For example, in Southeast Asia, Africa, and other places, issues related to Orb data trading have already emerged. For about $30, one can purchase an iris verification account on the black market. Village residents who scan their irises to complete World App registration are rewarded with $20. After the official launch of Worldcoin, the privacy and security of iris data have been investigated by regulatory authorities in some countries. At the current stage, the Orb iris scanning biometric hardware used by Worldcoin is operated by the Worldcoin Foundation, and the hardware lacks complete decentralization. Therefore, even if the software layer is perfect and fully decentralized, the Worldcoin Foundation still has the ability to insert backdoors into the system and create arbitrary fake human identities. Further verification is needed for Orb in terms of data security and privacy protection.
1.2.3 World App Security (Android version)
In the security testing of the following versions of the World App, we discovered the following security risks.
App Name: World App
Version: V 2.2.0.6
Package Name: com.worldcoin
SHA 256: fe8c50821cf4b8dc434221532c1847ba4af63f4a99926a9487c6d0378dbf386d
(1) Malicious Code Injection Vulnerability
Inject malicious code into the APK, recompile it into a pirated app, and release it online for phishing attacks. In the test, we injected code to obtain the contact list, which can be uploaded to a private server. It can also upload various information such as phone albums, files, account passwords, etc. to the private server, resulting in privacy breaches and stolen account assets.
(2) Source Code Leakage Risk
Although obfuscation is applied to some package names, the code in the class is still clear and visible, posing a risk of cracking and vulnerability exploitation.
(3) Risk of Resource File Leakage
The main resources in the assets directory and res directory of the APP are not protected and can be freely modified and exploited.
(4) Risk of Local Data Leakage
In APP development, important data such as account passwords and keys are stored locally without encryption, making it vulnerable to malicious programs gaining access to files and critical information, such as shared-preference and databases used in development.
(5) Hook Debugging Risk
By using a Hook framework, attackers can bypass system restrictions, modify code released by others, simulate calling hidden APIs, obtain data information in processes, and insert malicious code, etc.
In general, the World App client, as a financial application, does not have effective security strategies, and the risk factor is relatively high.
1.3 WLD Token Economics
1.3.1 Utility of WLD
Worldcoin (WLD) is an ERC-20 token that allows users to confirm their unique human identity through Orb on the World App and receive WLD funding on the Optimism mainnet. Worldcoin states that in the future, users will be able to use WLD for payment, remittance, transfers, service fees, buying and selling goods, and other services on the World App or other wallet applications. In addition, WLD also has community governance features, combining the one-person-one-vote mechanism of World ID with the one-token-one-vote mechanism to create a new governance model. After the project launch, the Worldcoin Foundation will solicit opinions from the community and discuss how World ID and WLD can interact under the new governance model.
Although WLD has both payment and governance scenarios, there are also security risks. In the early stage, the distribution of WLD was very centralized, with the top 6 addresses holding over 90% of the total supply.
1.3.2 WLD Total Supply and Distribution
Worldcoin token has a total supply of 10 billion tokens within 15 years after launch. After 15 years, if users activate the inflation mode through governance, the maximum annual inflation rate is 1.5%. The maximum circulating supply at the initial launch is 143 million WLD tokens, with 100 million tokens lent to an overseas market maker (loan period of 3 months) and 43 million tokens allocated to users who verified with Orb during the Pre-Launch phase of the project. In the future, 75% of the tokens will be distributed to the Worldcoin community, while the remaining 25% will be allocated to TFH (Tools for Humanity, the World App development team) and the initial team. Among these, the development team accounts for 9.8% and investors account for 13.5%. Additionally, 1.7% of WLD tokens are reserved for future TFH development as reserves (specific allocation details shown in Figure 2).
Figure 2: Initial distribution of Worldcoin tokens
Before Worldcoin achieves decentralization and self-sufficiency, the Worldcoin Foundation will support the Worldcoin ecosystem by distributing 75% of the tokens to three groups within the community. The first group is user grants, with a target allocation of 60% or more, including 1 welcome grant and regular grants during phases (also known as Genesis Grants). The first phase (usually within the first week of launch) is 25 WLD tokens, and the Genesis Grants for each subsequent phase are expected to decrease over time.
Worldcoin has designed an ideal token distribution model (shown in Figure 3), but there are currently many uncertainties such as the number of new user verifications per week, Worldcoin user usage, and the number of merchants.
Figure 3: Token Allocation Model
1.3.3 WLD Unlocking & Release
There are two characteristics of the WLD release model: user donations are not locked, while team and investor tokens will be locked. Figure 5 shows the WLD unlocking plan for the next 15 years. During these 15 years, the release speed of WLD tokens in the Worldcoin community will be determined by governance allocation, with the main factor being the growth rate of Worldcoin users. Figure 4 presents the earliest time for token unlocking, and out of the 10 billion tokens, 7.5 billion are allocated to the community and 2.5 billion are allocated to TFH and the initial team. The release model for the community WLD tokens will vary according to different time periods, as shown in Table 2.
Figure 4: WLD Token Release Model
During the time period WLD release quantity (billion) until the release total (billion) formal start 0.5000.500 Start - Year 3 End 3.5004.000 Year 4 Start - Year 6 End 1.7505.750 Year 7 Start - Year 9 End 0.8756.625 Year 10 Start - Year 15 End 0.8757.500
Table 2 : Worldcoin community's WLD release model for each time period in the next 15 years
In each time period, the release speed is the same, but the release speed differs in different time periods. The release speed is faster in the earlier years and becomes more gradual after year 10. According to ChainAegis data analysis, as of August 2nd, the total WLD release has reached 5.29 billion.
1.3.4 Worldcoin smart contract security
Although the Worldcoin smart contract has undergone auditing, there are still some risks in terms of permissions and centralization in the contract.
In the World ID contract, the WorldIDIdentityManagerImplV1 contract inherits the Ownable2StepUpgradeable contract from openzeppelin. It defines the centralized account _owner and the onlyOwner modifier that restricts function calls to only the _owner account.
In the WorldIDIdentityManagerImplV1 contract, the onlyOwner modifier is used in multiple places, especially in functions that involve setting and modifying certain state variables. For example, for functions related to stateBridge, the function can only be called effectively by _owner under certain conditions.
There are also other functions related to contract state settings and modifications. These functions must be called by the _owner account and are closely related to the contract's operational state and asset security. If the private key of the _owner account is maliciously compromised, it can cause significant economic losses and even devastating impact on the entire contract or project. Therefore, properly safeguarding the private key of high-privileged centralized accounts, such as _owner, is a crucial consideration for project teams.
In addition, other technical measures can be used to mitigate and address such centralization risks. These measures include, but are not limited to:
(1) Using m-n multi-signature, where only m out of n accounts need to approve a transaction for it to be executed.
(2) Adding a time lock before executing a transaction, so that the transaction can only be executed after a certain period of time. This allows other accounts to review the transaction for potential risks. Only secure transactions can be executed successfully.
(3) Using a DAO (Decentralized Autonomous Organization) mechanism, along with mechanisms such as time locking, can completely address the centralization risks in the contract. However, precautions should also be taken to prevent vulnerabilities in the DAO, such as flash loan attacks and governance attacks.
2. Operation Data
2.1 Registration Status
From May 2021 to July 2023, more than 2 million people have verified their World ID through the Orb device in over 30 countries. The specific distribution is shown in the chart below (Figure 5). It is obvious that most of the authenticated users come from developing countries, with Asia and Africa having the highest proportion, both exceeding 30%. On July 25th, Worldcoin tweeted that they will expand to 1,500 available Orbs in over 35 cities globally in the summer and autumn of this year.
Figure 5: Global Orb authentication user distribution (provided by TFH)
According to ChainAegis data, as of August 5th, there are 408,721 Optimism wallets holding WLD tokens on the Optimism chain, a 148% increase compared to July 25th. The largest address accounts for over half, occupying 57% of the supply, and the top 100 holders collectively own 95.08% of WLD.
2.2 Transaction Status
2.2.1 Price, Circulation, and Market Cap
On July 24th, after Worldcoin opened, the price immediately surged, reaching a high of $3.58. However, within the first 24 hours after the release, it continued to decline, reaching a low of $1.66. After experiencing significant fluctuations for two days, the price stabilized around $2.3 and showed a slight upward trend (Figure 6). The trading volume of WLD reached its peak of 647 million within the first 24 hours after release. As the topic of Worldcoin cools down and various governments implement regulatory policies, along with the impact of negative news coverage, users maintain a rational attitude towards WLD, and the trading volume has been declining daily, reaching 114 million on August 2nd.
Figure 6: WLD daily trading circulation data
Figure 7: WLD daily liquidity indicator (this indicator = trade volume / market cap)
In order to analyze the relationship between trade volume and market cap, the concept of liquidity indicator is introduced here. Obviously, the liquidity of WLD has significantly declined and dropped below 0.5 at the end of July, with a slight increase on August 2nd. Overall, WLD has lower liquidity compared to other mainstream cryptocurrencies due to its short time since launch, and its price is also more unstable.
2.2.2 WLD Trading Situation
Table 3: Top 10 trading pairs for WLD are WLD/USDT, showing the trading prices, volumes, and depth data in the past 24 hours on August 3rd.
Table 3 shows the top rankings of trading volumes for WLD in the past 24 hours on August 3rd, all of which are WLD/USDT trading pairs. The highest trading volume is for WLD/USDT on Binance, reaching 19.97 million US dollars.
To observe WLD for long-term periods, we selected the centralized exchange Binance and the decentralized exchange Uniswap to examine the daily trading situation. Binance has a large trading volume, especially for the WLD/USDT trading pair, which ranked first in daily trading volume, reaching a peak of 44 million on the first day and then gradually declining to below 5 million. There was a slight increase in early August, but the momentum was not strong (see Figure 8). The WLD/BTC trading volume is much smaller than WLD/USDT, and the trading trends are similar. Uniswap V3 had a less explosive start compared to centralized exchanges on the day of release, but it showed a significant increase in trading volume in the three days following the stable release, particularly on the OP chain (see Figures 10 and 11).  
Figure 10 : WLD/USD trading situation on Uniswap V3
Figure 11 : WLD/USD trading situation on Uniswap V3
3. Global Regulatory
Since its official launch, Worldcoin has been investigated by regulatory authorities in various countries. The specific timeline of events and distribution of investigation agencies are shown in Figure 12.
(1) On the second day of Worldcoin's release, the United Kingdom announced a review of Worldcoin.
(2) The French privacy organization CNIL expresses doubts about the legality of Worldcoin's biometric data collection and storage, and announces an investigation.
(3) Considering that the data being processed is biometric iris data, which is sensitive and will be widely covered in the future, the German data regulatory authority announced an investigation at the end of July.
(4) Kenya is the core region where the Worldcoin project is launched. After its issuance, local property, security, and data protection service agencies started investigating it on August 2nd. The Kenyan Ministry of Interior Affairs also announced the suspension of Worldcoin's operations on its Facebook page.
(5) Members of right-wing political parties in Germany expressed that the biometric devices used by Worldcoin are not related to healthcare but are for global surveillance. This surveillance is permanent and involves scanning various aspects of individuals' lives, such as daily behavior patterns and shopping habits.
Figure 12: Timeline of investigations by regulatory authorities of various countries on the Worldcoin project
4. Summary
Worldcoin, as a decentralized project, has a broad vision and ambition to revolutionize the Web 3 world and the digital economy through identity verification and fair airdrops. Its technological background, Orb and POP mechanisms, provides certain advantages in fraud prevention and scalability compared to traditional identity authentication mechanisms. However, privacy and security risks persist, and it is also subject to scrutiny from regulatory authorities in various countries. Continuous optimizations and improvements are required. Currently, the project is still in its early stages and will be influenced by various factors in the future, such as the production of large-scale hardware devices, user acceptance of new biotechnologies, and the feasibility of government regulatory policies in different regions.
In the future, the integration of encryption technology, big data, and AI technology will be necessary to provide more efficient technical support and ensure security and privacy. This is crucial to truly accommodate more users and diverse use cases, and to realize the vision of bringing billions of people worldwide into the Web 3 domain and the era of the digital economy.
About Us
The vision of SharkTeam is to comprehensively protect the security of the Web 3 world. The team consists of experienced security professionals and senior researchers from around the world, proficient in the underlying theories of blockchain and smart contracts, providing services including smart contract audits, on-chain analysis, emergency response, etc. We have established long-term partnerships with key participants in various fields of the blockchain ecosystem like Polkadot, Moonbeam, Polygon, OKC, Huobi Global, imToken, ChainIDE, etc.
Official Website: https://www.sharkteam.org
