PayPal’s stablecoin has wallet freezing and wiping functions
An analysis of the smart contract of the just-launched PayPal stablecoin PYUSD revealed the presence of so-called “centralization attack vectors.”
Smart contract security auditor Pashov pointed out in a recent Twitter thread that PYUSD’s contract has an ‘assetProtection’ role. It can wipe your balance in two transactions: first ‘freeze,’ then ‘wipeFrozenAddress.’
The reason why this is seen as an attack vector is that such a feature increases the damage that potential attackers can do if they managed to access it.
Pashov noted that PYUSD has six decimals, and uses Solidity compiler version 0.4.24. More interestingly, this smart contract does not “implement EIP-712 as the standard expects you to.”
What is EIP-712
Ethereum Improvement Proposal 712 or EIP-712 is a 2017 standard that allows Ethereum wallets like MetaMask to display structured and readable data in signing prompts instead of just hexadecimal strings. This makes it easier for users to verify the actual data they are signing, improving security and usability.
To implement EIP-712, developers need to define data structures and create a domain separator to prevent signature collisions between dapps. They also need to write signing code for their dapp to interface with the user’s wallet, write contract code to hash the data structures, and verify signatures on-chain using ecrecover. Overall, EIP-712 allows users to better understand what they are signing and prevents phishing attacks.
Ecrecover is an EVM precompile in Solidity that allows contracts to verify signatures of off-chain data. It takes a hash and an elliptic curve signature comprised of v, r, and s, and returns the Ethereum address that was used to sign the data, verifying the signature is valid. This allows building use cases like meta-transactions and permit tokens.
There are different standards for signing data like eth_sign, personal_sign, and EIP-712. EIP-712 is the recommended way for contracts to accept signed data as it provides protection against misuse and replay attacks. It involves hashing specific contract data like chain ID along with the message data itself. OpenZeppelin contracts provide secure implementations of ecrecover and EIP-712 signing. Overall, ecrecover enables contracts to cryptographically verify signed data from off-chain sources.
Freezing and balance-wiping features may be surprising to those in the crypto space who expect assets to be entirely under the control of the owners.
Still, smart contract-based tokens have allowed for such features for some time, and those features are pretty typical of centralized stablecoins.
“Newsflash: USDT & USDC both have similar attack vectors as well. I thought this one might be different, but it really isn’t,” Pashov commented.