How a Race Condition Vulnerability Could Cast Multiple Votes

This report describes discovery of a race condition in the Worldcoin (World ID) SDK cloud implementation that allowed an attacker to bypass preset per-person verification limits by sending parallel requests, enabling actions such as casting multiple votes. The author details testing steps, the vulnerable code path, and the subsequent database-backed mitigation that prevents concurrent verification misuse.