Last week, PayPal (or rather, Pax’s on behalf of PayPal), released a stable coin: Fidesium PAX token detail
So first, we would love to welcome this new player. In market terms, in order to onboard the next billion users we need to have participation from TradFi and Institutional players like PayPal. In many ways the fact that PayPal are embracing crypto is in and of itself a ringing endorsement, given their genesis famously involved the pursuit of digital money way back in the 1990s.
With that said…
There are a few important problems with this smart contract, as seen in our report, with the two most troubling being:The compiler uses an outdated version of solidity. Specifically the version of the contract used. 0.4.24, dates back to the pre industrial ages of May 2018. There have been over 60 releases since then, many of them containing security critical updates. Why this specific and ancient version was selected is mysterious, and somewhat troubling.
The contract is an upgradeable proxy, meaning Paypal/Paxos can, at any point and with no notification change the underlying smart contract to one of their choosing, *while maintaining all of your approvals*. The danger inherent to this pattern for a fungible token meant to represent money directly can simply not be overstated. There are valid use cases for the proxy pattern, and releasing a major stable coin isn’t one of them.
There are also a number of *significant* problems with the underlying implementation contract.
There is an authorized address called ‘assetProtectionRole’ that can, at will, freeze any holder’s assets. Let’s look at the code:
The first two functions are pretty self explanatory, freezing assets in place in a wallet, or unfreezing them. The last however, wipeFrozenAddress, really deserves to be spoken about. To clarify, once this function is called, the money in a frozen address is burned, deleted, gone for ever. *Your* money, is sent to an irrecoverable location, and you have no recourse whatsoever. It’s not even confiscated by law enforcement or clawed back by PayPal. It’s simply gone.
If you’d like to understand and manage your risk, come use our tool!
