The Ethereum community has found some rather unnerving facts about a new stablecoin known as PAX. It turns out the cryptocurrency – backed by the US dollar – contains backdoors that give unrestricted access to law enforcement (or anyone else, for that matter).
PAX has a function – called “setLawEnforcementRole” – which creates a new Ethereum address with administrative permissions over the circulating PAX supply. This practically means anyone with these permissions can tamper with any wallet they please.
The stablecoin allows the new addresses powerful functions – particularly “freeze” and “wipeFrozenAddress” – that lets “authorities” freeze wallets (and addresses) at will, and even destroy any assets they possess.
The vulnerability in question was first spotted by blockchain developer John Backus. Hard Fork has reviewed the code to corroborate his findings. Note, the rather obvious language, specifically: “setLawEnforcementRole.”
PAX was issued as an ERC-20 token through Ethereum, which makes its code completely open for public review.
Below is code in question. The developer’s comments, punctuated by slashes, confirm what the functions were designed for.
A “stablecoin” is a cryptocurrency permanently tied to the value of another currency – typically fiat, but can be tied to anything, like gold, oil, or diamonds.
Remember: every PAX token is backed by one US dollar. For all intents and purposes, PAX suggests its tokens and US dollars should be treated as completely interchangeable.
PAX made waves when its parent company, Paxos, launched it last week. After all, it’s purportedly among the first cryptocurrency of its kind (stablecoins) to have such backing and be approved by Wall Street regulators.
I don’t think I need to highlight how monstrously insane it is for devs to hand so much power over a financial instrument (currency) to anyone – let alone government authorities. Come on, this is not Satoshi’s vision.
Despite my gripes with such centralized nonsense, cryptocurrency developers have long struggled with the existential problem of backdoors.
EOS is one smart contract-powered blockchain that market these backdoors as features to potential dApp developers. A decentralized app (dApp) startup recently used a backdoor to access user wallets, unauthorised, to retrieve tokens after it fudged its airdrop.
Bancor, another cryptocurrency platform which runs on Ethereum, pulled a similar trick recently. Despite Ethereum’s dogmatic approach to decentralization, Bancor programmed its own backdoor into its exchange smart contracts.
This allowed developers to retrieve $10 million in cryptocurrency stolen in a digital raid, which was only made possible due to vulnerabilities in its code.
For what it’s worth – backdoors like these exist in pretty much every internet service you use. In fact, German police are pretty proud to declare that they don’t even need backdoors to hack your phone.