Analysis2023-07-25
Only 1 Owner of Multi-Signed Contract? Worldcoin May Involve Centralized Risks

Daniel Tan
Security Operation / Audit
Summary
The current owner of $WLD is a 1/1 multisig contract with only one owner
We analyzed Worldcoin's token $WLD smart contract 0x163f8c2467924be0ae7b5347228cabf260318753 and found some security concerns. Here are risks that you should keep alert.
Centralized Risks
šµ The mintOnce Function
The contract implements a centralized minting mechanism mintOnce, allowing the owner to mint tokens to multiple addresses in one transaction. This one-time function has already been called by the current owner.
The current owner is a 1/1 multisig wallet contract 0x59a0f98345f54bAB245A043488ECE7FCecD7B596, with only one owner eth:0xc534a745bFfaF9466Ed7B47fA23B0177b99A3e77. This means only one signature is needed to represent the owner to perform privileged operations.
šµ The setMinter Function
In addition, the contract also implements the setMinter function, allowing the owner to set a minter address. Currently the minter is zero address.
šµ The mintInflation Function
If the owner sets a non-zero minter, the minter can arbitrarily call mintInflation to mint unlimited tokens to any address.
Token Distribution
Statistics show the first 6 addresses already hold 94.5% of the total supply. This indicates a highly centralized token distribution.
In summary, the token contract has the following security risks:
- The owner currently has only one signer, which reduces security control over the owner account.
- There is a risk of unlimited token minting after a minter is set.
- The token distribution is overly centralized with the top 6 addresses holding most tokens.
To mitigate these risks, here are our security suggestions:
- Increase the number of signers for the owner to enforce multi-sig management.
- Disable arbitrary settings of minters to prevent unlimited minting.
- Adopt vesting or continuous distribution to reduce the centralization of token distribution.
Security is the cornerstone of a healthy blockchain ecosystem. We will continue monitoring project security, performing timely security risk alerts, to jointly maintain the security of blockchain.
About Us
At MetaTrust, our primary focus is on creating a secure infrastructure that caters to the needs of developers in the WEB 3.0 space. We offer an array of AI-Driven automation tools and security services to assist Web3 developers and project stakeholders in achieving a secure development environment.
Website || Twitter || Telegram || Try MetaScan for FREE

Daniel Tan
Security Operation / Audit
Share this article
Summary
The current owner of $WLD is a 1/1 multisig contract with only one owner
@2023 by MetaTrust Labs Pte. Ltd. All Rights Reserved