Numerous stablecoin projects have been announced and launched in the past year, including two which were approved by US regulators this month. One of those projects, Paxos (PAX) which will be listed on Binance, has caused controversy in the community about a back door that gives Paxos the capability to freeze or seize tokens, if they are required to do so by law, including by court order or other legal processes.
The back door was discovered by John Backus, a member of the Ethereum community who noticed it in the code and posted his findings to Twitter.
Wow, wtf? The PAX stablecoin gives **admin write access** to law enforcement. Basically, the government can FREEZE and BURN anyone's coins! pic.twitter.com/7mlDgTxX7l— John Backus (@backus) September 19, 2018
Backus then suggested that this goes above and beyond the typical KYC compliance that should be expected from projects of this nature. Bakus stated:
I get we need compliant stablecoins, but giving the government direct control to the smart contract seems excessive. Less extreme alternatives: Normal legal process. Gov requests freeze/seizure, PAX judges and fulfills, Allow LE to freeze, but require PAX to confirm burning,
A Paxos spokesperson said that this back door is simply a matter of compliance with federal regulations. The statement read:
Paxos has always been compliant as a core principle,” the spokesperson said. “We believe that there is a healthy market — especially amongst institutional investors who are also regulated and can only work with financial institutions like ours — who prefer to work with regulated and compliant entities and want the protection and stability of the government. We have always been clear that this is our approach,
The spokesperson added:
In the initial announcement about approval from our regulator, the New York State Department of Financial Services, they clearly stated that we were approved based on stringent requirements that we implement, monitor and update controls to prevent Paxos Standard from being used in connection with money laundering, terrorist financing or other illegal activities,
However, while a back door like this is a requirement to comply with US regulations, some critics say it poses many security problems.
Earlier this month, Nomadic Labs published an audit of the Paxos code, finding that this back door is a massive security flaw that can be exploited by skilled hackers. The audit stated:
Being able to freeze the systems is a desired capability to keep the token KYC friendly. However, the current implementation doesn’t protect against front running. A highly sophisticated attacker might observe non-settled freeze attempts in the blockchain and race it with a transaction to transfer the coins from the being-frozen address to a second address in a cat-and-mouse game,
Furthermore, this case represents a familiar contrast between the cryptocurrency community and institutional banking or investment interests. Many of the values that have motivated the growth and expansion of the crypto industry, like privacy and decentralization, seem at odds with the standards that traditional finance is accustomed to.