Powered by

PAX stablecoin has backdoor for freezing and seizing cryptocurrency

Devs built them for 'LawEnforcement'

The Ethereum community has found some rather unnerving facts about a new stablecoin known as PAX. It turns out the cryptocurrency – backed by the US dollar – contains backdoors that give law enforcement (or anyone else, for that matter) a concerning amount of control over your funds.

PAX has a function – called “setLawEnforcementRole” – which creates a new Ethereum address with administrative permissions over the circulating PAX supply. This practically means anyone with these permissions can tamper with any wallet they please.

The stablecoin allows the new addresses powerful functions – particularly “freeze” and “wipeFrozenAddress” – that lets “authorities” freeze wallets (and addresses) at will, and even destroy any assets they possess.

The vulnerability in question was first spotted by blockchain developer John Backus. Hard Fork has reviewed the code to corroborate his findings. Note, the rather obvious language, specifically: “setLawEnforcementRole.”

PAX was issued as an ERC-20 token through Ethereum, which makes its code completely open for public review.

Below is code in question. The developer’s comments, punctuated by slashes, confirm what the functions were designed for.

A “stablecoin” is a cryptocurrency permanently tied to the value of another currency – typically fiat, but can be tied to anything, like gold, oil, or diamonds.

Remember: every PAX token is backed by one US dollar. For all intents and purposes, PAX suggests its tokens and US dollars should be treated as completely interchangeable.

PAX made waves when its parent company, Paxos, launched it last week. After all, it’s purportedly among the first cryptocurrency of its kind (stablecoins) to have such backing and be approved by Wall Street regulators.

I don’t think I need to highlight how monstrously insane it is for devs to hand so much power over a financial instrument (currency) to anyone – let alone government authorities. Come on, this is not Satoshi’s vision.

Despite my gripes with such centralized nonsense, cryptocurrency developers have long struggled with the existential problem of backdoors.

EOS is one smart contract-powered blockchain that market these backdoors as features to potential dApp developers. A decentralized app (dApp) startup recently used a backdoor to access user wallets, unauthorised, to retrieve tokens after it fudged its airdrop.

Bancor, another cryptocurrency platform which runs on Ethereum, pulled a similar trick recently. Despite Ethereum’s dogmatic approach to decentralization, Bancor programmed its own backdoor into its exchange smart contracts.

This allowed developers to retrieve $10 million in cryptocurrency stolen in a digital raid, which was only made possible due to vulnerabilities in its code.

For what it’s worth – backdoors like these exist in pretty much every internet service you use. In fact, German police are pretty proud to declare that they don’t even need backdoors to hack your phone.

Update 09:27 UTC, September 21: A Paxos spokesperson has since reached out to Hard Fork with a clarification. In particular, the company confirmed the backdoors were indeed built for law enforcement – mostly for regulatory reasons.

The spokesperson further noted PAX had been “approved based on stringent requirements” to “implement, monitor and update controls to prevent Paxos Standard from being used in connection with money laundering, terrorist financing or other illegal activities.”

This was also communicated in the initial approval announcement.

“The code is written because we are required to have the capability to freeze or seize tokens ourselves,” the spokesperson wrote. “This is something we don’t take lightly; it’s an action we will take only if required by law.”

In fact, it could only be approved by Wall Street regulators if it included the backdoors.

The spokesperson referred us to PAX’s legal documentation which also confirms the backdoor. “We may freeze, temporarily or permanently, your use of, and access to, PAX or the US dollars backing your PAX, with or without advance notice,” it reads, “if we are required to do so by law, including by court order or other legal process.”

Paxos also took a moment to explain that it only intends to use the backdoor when “required to do so by law.”

“We have no intention of ever giving unrestricted access to our code directly to law enforcement (or anyone else, for that matter),” the spokesperson said.

If you’re interested in everything blockchain, chances are you’ll love Hard Fork Decentralized. Our blockchain and cryptocurrency event is coming up soon – join us to hear from experts about the industry’s future. Check it out!

Published September 20, 2018 — 14:22 UTC