Wormhole Worldcoin World ID State Root Bridge protocol enables the bridging of the Worldcoin World ID state root from Ethereum to Solana. The Worldcoin World ID utilizes Semaphore, with a single set containing public keys (or identity commitments) for each verified user. A commitment to this set is then replicated to other blockchains, in this case to Solana, where the new Merkle root is stored, allowing verified users to prove their personhood.
Wormhole engaged Ackee Blockchain Security to perform a security review of the Wormhole Worldcoin World ID State Root Bridge protocol for a total of 11 engineering days in a period between September 6 and September 27, 2024.
METHODOLOGY
The audit began by understanding the high-level goals of the project, followed by a deep dive into the program’s logic. In the initial phase, we implemented fuzz tests, which were particularly helpful for two reasons: to enhance our understanding of the project’s core concepts and to begin fuzzing as early as possible, increasing the likelihood of identifying bugs. For fuzzing, we used Trident. See the Pull Request with a complete fuzz test code.
In the later stages of the audit, we shifted focus to a manual review of the project, paying special attention to the following:
- ensuring there is no frontrunning possible during the initialization process (e.g. Config Initialization);
- ensuring all Config-related instructions can only be executed by the associated authority;
- ensuring correct deserialization and serialization of instruction inputs;
- ensuring that no reinitialization or denial of service is possible during the posting of Guardian Signatures to the Solana blockchain;
- ensuring there is no possibility of spoofing the Guardian Signatures and Guardian Set accounts when posting a new state root from the Ethereum blockchain;
- ensuring all posted Guardian Signatures are verified in a sequential order and that no signature can be posted multiple times to achieve quorum artificially;
- ensuring the Proof of Personhood verification process is correctly implemented and that no sensitive data leaks are present.
SCOPE
The audit was performed on the commit 70f034 and a6f479 respectively the scope was the following:
- Solana World ID Program, excluding external dependencies
- Solana World ID On-Chain Template, excluding external dependencies.
FINDINGS
Here are the findings from our audit.
Critical severity
No critical severity issues were found.
High severity
H1: The latest available root may be inactive and potentially undesirably removed
Medium severity
M1: Possible arithemtic overflow during root is_active check
M2: Missing mut constraint
Low severity
No low severity issues were found.
Warning severity
W1: Possible Reinitialization
Information severity
I1: Signature Malleability due to accepting S values with high and also low order
CONCLUSION
Our review resulted in 5 findings ranging from Info to High severity. The most severe finding, H1, presents the potential for a denial of service during the verification process of proof of personhood. If there are relatively large gaps (compared to the root_expiry) between newly submitted root hashes from Ethereum, two undesirable scenarios can arise.
Ackee Blockchain Security recommends Wormhole:
- ensure that there is always at least one active root available for verification, and prevent possibility of all roots being removed;
- ensure that the off-chain components are functioning correctly and adhere to best security practices;
- ensure that the Guardian Sets accounts stored on-chain are well protected, and there is no possibility for an attacker to tamper with these accounts;
- avoid using unchecked arithmetic. Although the likelihood of exploiting unchecked arithmetic in unintended ways may be low, potential issues still exist and could lead to catastrophic outcomes.
Ackee Blockchain Security’s full Wormhole audit report, which includes a more detailed description of all findings and recommendations, can be found here.
We were delighted to audit Wormhole and look forward to working with them again.
