Analysis2023-07-25

Only 1 Owner of Multi-Signed Contract? Worldcoin May Involve Centralized Risks

Tags

2 Minutes Read

Daniel Tan

Daniel Tan

Security Operation / Audit

Summary

The current owner of $WLD is a 1/1 multisig contract with only one owner

We analyzed Worldcoin's token $WLD smart contract 0x163f8c2467924be0ae7b5347228cabf260318753 and found some security concerns. Here are risks that you should keep alert.

Centralized Risks

🔵 The mintOnce Function

The contract implements a centralized minting mechanism mintOnce, allowing the owner to mint tokens to multiple addresses in one transaction. This one-time function has already been called by the current owner.

The current owner is a 1/1 multisig wallet contract 0x59a0f98345f54bAB245A043488ECE7FCecD7B596, with only one owner eth:0xc534a745bFfaF9466Ed7B47fA23B0177b99A3e77. This means only one signature is needed to represent the owner to perform privileged operations. 1.png

🔵 The setMinter Function

In addition, the contract also implements the setMinter function, allowing the owner to set a minter address. Currently the minter is zero address. 2.png

🔵 The mintInflation Function

If the owner sets a non-zero minter, the minter can arbitrarily call mintInflation to mint unlimited tokens to any address.

Token Distribution

Statistics show the first 6 addresses already hold 94.5% of the total supply. This indicates a highly centralized token distribution. 3.png

In summary, the token contract has the following security risks:

  1. The owner currently has only one signer, which reduces security control over the owner account.
  2. There is a risk of unlimited token minting after a minter is set.
  3. The token distribution is overly centralized with the top 6 addresses holding most tokens.

To mitigate these risks, here are our security suggestions:

  1. Increase the number of signers for the owner to enforce multi-sig management.
  2. Disable arbitrary settings of minters to prevent unlimited minting.
  3. Adopt vesting or continuous distribution to reduce the centralization of token distribution.

Security is the cornerstone of a healthy blockchain ecosystem. We will continue monitoring project security, performing timely security risk alerts, to jointly maintain the security of blockchain.

About Us

At MetaTrust, our primary focus is on creating a secure infrastructure that caters to the needs of developers in the WEB 3.0 space. We offer an array of AI-Driven automation tools and security services to assist Web3 developers and project stakeholders in achieving a secure development environment.

Website || Twitter || Try MetaScan for FREE

Share this article