PayPal’s secret strategy to smart contact security revealed
Trust — white hat hacker and head of smart contract auditing firm Trust Security — shed some light on a peculiar feature of the smart contract powering PayPal’s new stablecoin PYUSD.
In a recent tweet, Trust pointed out that they have “seen a lot of dunking on PayPal for using an ancient Solidity compiler.”
As pointed out in a recent article, an analysis of the smart contract revealed that the company used Solidity compiler version 0.4.24.
Considering that version 0.4.24 of Solidity was released on May 16, 2018, shows that the version chosen by PayPal was ancient indeed. Still, this is not necessarily a bad thing.
Trust explained that when choosing a Solidity compiler version, a programmer is looking for a compromise with the latest versions guaranteeing lower gas usage and more features. In contrast, older versions have been tested for longer and feature fewer unknowns.
In other words, older compilers are less likely to feature unknown vulnerabilities. He concluded someone may want to use an older version “because it withstood the test of time.”
Furthermore, Trust also pointed out that PayPal’s token is powered by a single short smart contract and the SafeMath library. This shallow complexity system does not require new features, with the objective being an “ultra-robust code used for the next 10+ years, not to do anything too fancy.”
Trust also explained, “The simpler the codebase and the fewer the integrations with outside code, the earlier you can set the compiler version and get away with it.”
In addition to that, this is also in line with the cybersecurity principle of attack surface reduction — where programmers look to make a system as simple and barebones as possible to reduce the probability of vulnerabilities hiding in unnecessary complexity and libraries.
Trust further highlighted that “immutable smart contracts are inherently different from traditional software” since there are no “periodic patch days or emergency releases.” The only viable approach is to “hope all components of the codebase are safe at a specific point in time,” and PayPal developers “can now rely on five years of compiler testing.”
