top of page
  • letsaskformore

The Risks Of Worldcoin: What You Need To Know Before You Invest

Do you want to invest in Worldcoin or get your eyes scanned or spend the money that you got by scanning your eye or just simply know what you're talking about when you talk about Worldcoin? WorldCoin, Worldcoin, Worldcoin, Worldcoin,

I did lots of research. I got my eyes scanned, I played with the application, and unless you understand the things that I say in this video, you might put yourself at risk by using Worldcoin in ways that it's not intended to. Yes, I believe you should go and have your retina scanned and experience this technology. But let's see right now what Worldcoin is used for, what is the vision, what are the actual use cases that are implemented and how they might break when you give it a closer look?

So if we go to the main page, the whitepaper of Worldcoin, there is a section called potential applications. Owning and transferring digital money. So effectively a cryptocurrency. Identity keep the bots out. So this is the idea that future social media will require you to prove you're a human before you comment, and this will mitigate some forms of spam when CAPTCHAs will stop working. Then governance is mentioned, which is the idea that you'll be voting on serious issues by mobile app by using this World ID proving that you are a unique human. Incentive alignment. That's basically coupons. Okay. And then equal distribution of scarcity resources. This is about Universal Basic Income money that will be distributed to people just because they're human. Now the problem is that all this is the vision. Right now, what can you really do? The answer is... Nothing. So if you go to the wallet application right now, you can see that I can do absolutely nothing.

I have no buttons to press. So what I did was to uninstall and reinstall the app and because of a software glitch, I can see the wallet on the bottom left corner. I can probably buy and sell cryptos with this wallet. Now, I'm pretty convinced that this is the case because I am in the US and Sam Altman, given that he has a reputation and a very visible public profile, he wants to keep this as legit as possible. Beyond that, further applications are subject to future development. So all we can talk about right now is the vision. And in this discussion I have to make two key assumptions. One that the tools of humanity team and company are really good people with good intentions. Because the whole system right now is so centralized that if they just want to collect biometric data and archive them and they have some malicious intention behind that, they can definitely do that if they want. The second assumption I have to make is about you. That you are cool about biometric data. If somebody like Snowden for example says no to biometrics, I would definitely not try to convince him that Worldcoin is worth even talking about. Okay, with those two assumptions in place, let's talk about the elephant in the room. That's the World App.

This is an iPhone or Android app and it knows a lot about you. You really trust this app a lot. So this app knows your phone number, the private keys for your World ID, the private keys for your wallet. It also knows several other identifiers that I don't know what exactly mean. If you make any transfer in and out from other Ethereum addresses to the address of this Ethereum wallet, they will also be connected. If you transfer from bank accounts and credit cards as they say, there's even more data associated with your identity. And the World App can see them all. That means that if the developers of the app screw up something or Apple or Android, all this data can leak and can totally invalidate all the privacy that the zero knowledge proofs provide. But when you design a security system, you want to be defensive and you don't want to centralize so much knowledge in one specific place.

Now this place, this World App right now has a terrible habit of not giving you the private keys for your Ethereum addresses. This is insane, not your keys, not your coins. Ideally you'd like the keys to live outside your phone in some hardware wallet. This certainly is not the case here. All those keys are backed up in the iCloud for example. But what if you don't want that? You can disable the backup. You can even have them backed up without a password, which sounds very dangerous. So all sorts of weird choices in the application right there. Beyond the wallet problems, there are some problems that I see at the protocol level. So a retina scan is creating a hash and this by the Orb is associated to a World ID and with your Ethereum address. Those will potentially expire for security reasons, very often. If somebody steals your wallet, you just go back to the Orb and you issue a new set of private keys and World ID.

So now this one to many relationship creates a dangerous environment because they have this idea of no persistent reputation. That means that the new keys and the new World ID will be totally separated from your previous ones for privacy reasons. But if you want to own tokens by using those addresses, you have to be able to transfer tokens from one address to the next address. And be able to do it in a private way. Now, in a world where every coin is powered by zero knowledge proofs, that would be possible. But actually in the world we live right now, this has to be done through mixers and use of mixers might suggest illegal activity. So as you can see, this idea of no persistent reputation limits a lot the ownership use cases and dictates you to use mixers and not touch any NFTs.

Now the idea about preventing spam. That I find a little bit weird to be honest. Because there's a strong requirement for pseudonymity and let's assume that I want to use this World ID to both vote and at the same time be at the social media and potentially say things that government doesn't like. So I somehow need to have two different addresses that are independent and they are connected to the same retina and Vitalik says that there is no problem, for example, we might have up to five different accounts or even what he proposes also is N with N square cost. Okay. All this is a little bit academic though of course you can do it, but it's way too complicated and the more complicated becomes the more prone to errors, but also the more people will rely on centralized services. And then what's the point? All I see here is the potential of consolidating more and more identifiers to a single retina scan.

In terms of biometrics, yes, the Orb uses biometrics and I think we should all relax a little bit about them. The guys there have done excellent research. I really like all this work they have done. Many skeptics talk about how bad it is to collect biometrics in a large scale. The only reason I can't imagine this is bad is because if there is a leak, it's going to be pretty terrible. More specifically with a database and one compromised Orb, you can hijack all the identities of the network and of course they store this data somewhere in an encrypted way, but when the stakes are this high, no encryption is enough. That said, what we should require is that nobody else, no other network, no other application uses the same hashing algorithm for other purposes. Okay, with a leak, everything in the Worldcoin network might collapse. But you wouldn't like at the same time your banking system security to collapse as well.

One of the things that happens when I vote in real life is that I go at someplace that nobody can really see and even if they think that I will vote something, I might at the end vote for something else. I have a certain level of guaranteed privacy as well as the assurances that other people provide by seeing that for example, I'm not drunk or that I'm not blackmailed by, for example, somebody that points a gun at me. So yeah, of course voting through an app is a very inclusive way to make a very broad kind of polling. But for voting for serious issues I'm not sure. I think that the system we have right now works pretty well. The Worldcoin token is a very weird token. It's inflationary even though inflation will start in a few years time. But most important is there is no utility. You don't burn it somehow.

The tokens are given to individuals for free. What they choose to do with that is up to them. So

I seriously don't know what will support the price of this coin. It is not available for US customers that already it makes a non egalitarian distribution despite what they say. We're

Just focused on having the most egalitarian distribution.

So yeah, I don't know. Lots of things wrong with the Worldcoin token.

Finally, the Orb. The Orb is an engineering masterpiece. It's like an iPhone that scans your eye. The technology that has in there is pretty amazing. Although some of the sensors are pretty pointless I think. That said, it absolutely needs to be in a place that's supervised. The Orb is protected by a secure element. What is a secure element? This is what a secure element looks like. This is like a fingerprint for a hardware device. On top of the chip they have a mesh that if somebody tries to open the cap and try to plug some wires in the actual chip, they will break the wire mesh and they will force the chip to erase the private keys. Now what they use in the Orb is not this. I cannot find it in the bill of materials and I asked them and I got no reply.

So I'm not sure why. While in the documentation they talk about the secure element, they don't use one. Of course, those attacks we are talking about are pretty expensive and sophisticated and highly likely done only by nation state actors. But there easier ways if you get an Orb and you are unsupervised to hack through that. The easiest way to do it is actually to cut right here. I would hijack the high resolution stream that goes from the camera to the GPU processor. This way I would feed synthetic retina images to the processor and the rest of the system would work as usually creating hashes, signing them and uploading them to the network.

So yeah, summarizing. About money, it's not a good coin and there are privacy issues despite the fact that they have paid lots of attention to make the protocol very much private aware. Keeping the bots out. Again, they have to explain us how this will work with pseudonymity. Governance, Okay, but not for voting for really important issues. Incentive alignment like coupons and stuff. Okay, even Starbucks can issue a loyalty card, so I don't see this like a big value proposition of this network. And equal distribution of scarcity resources like UBI. We already see that in the US we cannot get this coin. So yeah, I'm not very convinced about this. And also I think that any form of UBI will certainly go through governments. I don't believe that globally governments will allow private entities to print money and give them to people.

So how should you use the World App? My answer is as little as possible, as careful as possible. The first thing you should do is do not associate any of your existing accounts or addresses on Ethereum or otherwise with the address that you get in the World App. I don't know what you have done with those other addresses, but you don't want to connect that with a fingerprint of your eye. So even if you have been airdropped some Worldcoin token, just leave it there. Don't move it, don't, don't exchange it, don't do anything. Leave it there and you will see if it turns out useful at some point in the future. Despite all those things I have just said, I still believe it's worth doing it. Why? I will explain in part three, the final part of this video series on Worldcoin. I hope you found this video useful. Thanks for watching

9 views0 comments


bottom of page