The Wormhole Worldcoin World ID State Root Bridge protocol makes it possible to bridge the Worldcoin World ID state root from Ethereum to Solana. Worldcoin World ID utilizes: semaphoreThere is a single set containing the public key (or identity promise) for each verified user. Promises for this set are replicated to another blockchain, in this case Solana, where the new Merkle root is stored, allowing verified users to prove their identity.
Wormhole partnered with Ackee Blockchain Security to conduct a security review of the Wormhole Worldcoin World ID State Root Bridge protocol over a total of 11 engineering days from September 6 to September 27, 2024.
methodology
The audit began with understanding the high-level goals of the project, followed by a deeper analysis of the logic of the program. In the early stages we implemented fuzz testing, which was particularly helpful for two reasons. The goal was to increase understanding of the core concepts of the project and to start fuzzing as soon as possible to increase the likelihood of bug identification. For fuzzing we use trident. reference pull request With complete fuzz test code.
In the later stages of the audit, we focused on a manual review of the project, paying special attention to:
- Ensure that preemption is not possible during the initialization process (e.g. configuration initialization).
- Ensures that all configuration-related commands can only be executed by the relevant permissions.
- Ensures correct deserialization and serialization of command input.
- It ensures that reinitialization or denial of service is impossible while Guardian signatures are published to the Solana blockchain.
- Ensures that there is no possibility of spoofing Guardian Signatures and Guardian Set accounts when publishing new state roots on the Ethereum blockchain.
- It ensures that all published guardian signatures are verified sequentially and that signatures are not posted multiple times to artificially achieve quorum.
- Ensure that personal identity verification processes are implemented correctly and that there are no sensitive data leaks.
range
An audit has been performed on the commit. 70f034
and a6f479
The respective ranges are as follows:
Findings
The audit results are as follows:
critical severity
No critical severity issues were found.
Severity High
H1: The latest available root may be inactive and potentially undesirably removed.
medium severity
M1: Arithmetic overflow may occur during route is_active
check
M2: Missing mut
forcing
low severity
No low-severity issues were found.
warning severity
W1: Reinitializable
Information Severity
I1: Signature malleability due to accommodating high and low order S values
conclusion
The review resulted in five findings ranging from information to high severity. The most severe result, H1, indicates a possible denial of service during identity verification. In Ethereum, if there is a relatively large gap (compared to root_expiry) between newly submitted root hashes, two undesirable scenarios can occur:
Ackee Blockchain Security recommends Wormhole.
- Always ensure that there is at least one active root available for verification and avoid the possibility of all roots being removed.
- Ensure that off-chain components function properly and adhere to best security practices.
- Ensure that Guardian Set accounts stored on chain are well protected and that there is no possibility for an attacker to tamper with these accounts.
- Do not use unchecked arithmetic. Although the likelihood of exploiting unchecked arithmetic in an unintended way may be low, the potential problem still exists and can have catastrophic consequences.
Ackee Blockchain Security’s full Wormhole audit report, which includes a detailed description of all findings and recommendations, can be found here.
We were delighted to appreciate Wormhole and look forward to working with them again.