• PayPal introduced its stablecoin on the Ethereum blockchain.
• Huobi has announced that it will offer the new stablecoin.
• The PYUSD has an “assetProtection” mechanism that can wipe out account balances through two transactions—first by freezing the balance and then wiping the frozen address.

The recently launched PayPal stablecoin, called the PayPal USD (PYUSD), has come under scrutiny from Pashov, a smart contracts security review expert. The PYUSD was unveiled on August 7, and Pashov’s analysis has revealed some concerning findings, as posted on X platform on the same day.

The new PayPal USD stablecoin has an “assetProtection” functionality that can wipe out account balances in two transactions (first `freeze`, then `wipeFrozenAddress`)

In the realm of smart contract security, this is known as a “centralisation attack vector” pic.twitter.com/RsmqvsnKvi

— pashov (@pashovkrum) August 7, 2023

Pashov has found that selected members of the development team at PayPal will have the ability to execute sensitive code actions, such as freezing accounts and clearing frozen account balances, using the “assetProtection” mechanism.

Similar Attack Vectors in USDT and USDC

While many crypto enthusiasts expected PayPal’s stablecoin to offer unique features, Pashov’s revelation indicates that the new PayPal USD stablecoin shares similarities with USDT and USDC in terms of security vulnerabilities.

The PayPal USD (PYUSD), Tether (USDT), and USD Coin (USDC) all include an “assetProtection” functionality, which is considered a ‘centralization attack vector’ in smart contract security.

Newsflash: USDT & USDC both have similar attack vectors as well. I thought this one might be different, but it really isn’t.

— pashov (@pashovkrum) August 7, 2023

This feature makes PayPal’s stablecoin centralized, similar to many other popular stablecoins in the market.