1. Home
  2. Smart Contract Audit

Smart Contract Audit

Paypal USD: Boon for Ethereum but not decentralization, says community

Proponents say PayPal’s PYUSD could see Ethereum become the money layer of the internet, while opponents argue that it’ll act like a poorly designed CBDC.

Paypal’s new Ethereum-based stablecoin, PYUSD has been seen as bittersweet news for the crypto community.

While it could finally see Ethereum find its place in mainstream adoption, it could also spell trouble for decentralization and personal control of assets, warns the community.

The new stablecoin, Paypal USD, was launched on Aug. 7 and is issued by Paxos Trust Co. — the firm behind Binance USD (BUSD). It’s built on Ethereum and “designed for digital payments and Web3,” with the firm saying it will soon be available to United States customers.

The launch has been seen as a boon for Ethereum adoption. Ethereum bulls Anthony Sassano and Ryan Sean Adams believe the ERC-20 stablecoin will push the blockchain closer towards becoming the money layer of the internet.

The number of daily active users on Ethereum currently hovers between 300,000-400,000, according to Etherscan.

However, Sean Adams noted that 430 million accounts actively use the online payment processor, which means that over 5% of the world’s 8 billion people could theoretically be onboarded onto Ethereum through PayPal’s new stablecoin.

Martin Koppelmann, the CEO and co-founder of Gnosis, added that by launching PYUSD on Ethereum’s base layer, Ethereum layer-2s will be able to interact with PYUSD too.

Others, including lawmakers, have seen it as another example of larger institutions embracing crypto, breathing new life into the traditional payments system.

In an Aug. 7 statement, Patrick McHenry, Chair of the United States House Committee on Financial Services said stablecoins like PayPal’s PYUSD “hold promise as a pillar of our 21st century payments system.”

However, not everyone is convinced about PayPal’s new stablecoin.

Several smart contract auditors highlighted that PYUSD’s smart contract contains a 'freezefunds' and 'wipefrozenfunds' function which they claim is a textbook example of a centralization attack vector in Solidity contracts.

This concern was echoed by cryptocurrency researcher Chris Blec, who believes that PayPal will use the controversial functions where necessary.

Digital asset lawyer Sarah Hodder believes many characteristics of PayPal’s stablecoin resemble that of a censorship-enabled central bank digital currency. Another smart contract auditor noted that PYUSD’s smart contract can be changed by PayPal at any time.

In October, PayPal was slammed for a controversial policy that could’ve seen users fined $2,500 for spreading “misinformation.” The firm later backpedalled, claiming the policy update was published “in error.”

Related: PayPal’s crypto holdings increased by 56% in Q1 2023 to nearly $1B

Meanwhile, Blockchain engineer Patrick Collins took a slightly more neutral view, suggesting that PayPal’s PYUSD could have been “epic” but believes some of the engineering choices were suboptimal — such as choosing an outdated version of Solidity to program the contract, making the contract upgradeable and not making it gas efficient.

Sassano also explained in a separate post that while PayPal's stablecoin is centralized, Ethereum users are free to choose whether they wish to use it or not.

PayPal said PYUSD will be rolled out within the next few weeks.

ETH is currently priced at $1,825 which is approximately the same price at the time of PayPal’s announcement about 10 hours ago, according to CoinGecko. Only minor fluctuations have been observed in ETH’s price since then.

Magazine: DeFi Dad, Hall of Flame: Ethereum is ‘woefully undervalued’ but growing more powerful

SEC Chair Gary Gensler Ends Tenure a Year Early to Avoid Trump’s Axe

ChatGPT can’t beat human smart contract auditors yet: OpenZeppelin’s Ethernaut challenges

While ChatGPT-4 can’t compete with human auditors yet, OpenZeppelin noted it was not optimized to do so, and AI models trained for this purpose would likely be more accurate.

While generative artificial intelligence (AI) is capable of doing a vast variety of tasks, OpenAI’s ChatGPT-4 is currently unable to audit smart contracts as effectively as human auditors, according to recent testing.

In an effort to determine whether AI tools could replace human auditors, blockchain security firm OpenZeppelin’s Mariko Wakabayashi and Felix Wegener pitted ChatGPT-4 against the firm’s Ethernaut security challenge

Although the AI model passed a majority of the levels, it struggled with newer ones introduced after its September 2021 training data cutoff date, as the plugin enabling web connectivity was not included in the test.

Ethernaut is a wargame played within the Ethereum Virtual Machine consisting of 28 smart contracts — or levels — to be hacked. In other words, levels are completed once the correct exploit is found.

According to testing from OpenZeppelin’s AI team, ChatGPT-4 was able to find the exploit and pass 20 of the 28 levels, but did need some additional prompting to help it solve some levels after the initial prompt: “Does the following smart contract contain a vulnerability?”

In response to questions from Cointelegraph, Wegener noted that OpenZeppelin expects its auditors to be able to complete all Ethernaut levels, as all capable authors should be able to.

While Wakabayashi and Wegener concluded that ChatGPT-4 is currently unable to replace human auditors, they highlighted that it can still be used as a tool to boost the efficiency of smart contract auditors and detect security vulnerabilities, noting:

“To the community of Web3 BUIDLers, we have a word of comfort — your job is safe! If you know what you are doing, AI can be leveraged to improve your efficiency.“

When asked whether a tool that increases the efficiency of human auditors would mean firms like OpenZeppelin would not need as many, Wegener told Cointelegraph that the total demand for audits exceeds the capacity to provide high-quality audits, and they expect the number of people employed as auditors in Web3 to continue growing.

Related: Satoshi Nak-AI-moto: Bitcoin's creator has become an AI chatbot

In a May 31 Twitter thread, Wakabayashi said that large language models (LLMs) like ChatGPT are not yet ready for smart contract security auditing, as it is a task that requires a considerable degree of precision, and LLMs are optimized to generate text and have human-like conversations.

However, Wakabayashi suggested that an AI model trained using tailored data and output goals could provide more reliable solutions than chatbots currently available to the public trained on large amounts of data.

AI Eye: 25K traders bet on ChatGPT’s stock picks, AI sucks at dice throws, and more

SEC Chair Gary Gensler Ends Tenure a Year Early to Avoid Trump’s Axe

Euler Finance’s offer to hacker: Keep $20M or face the law

The hacker committed a $196 million flash loan attack on the Ethereum-based lending protocol on March 13.

Ethereum-based noncustodial lending protocol Euler Finance is trying to cut a deal with the exploiter that stole millions from its protocol, demanding the hacker returns 90% of the funds they stole within 24 hours or face legal consequences.

Euler Labs sent its ultimatum to the flash loan attacker who exploited the platform for $196 million by transferring the hacker 0 Ether (ETH) with an attached message on March 14:

“Following up on our message from yesterday. If 90% of the funds are not returned within 24 hours, tomorrow we will launch a $1M reward for information that leads to your arrest and the return of all funds.”

The threat of law enforcement comes as Euler sent the hacker a much more civil message the day before.

“We understand you are responsible for this morning’s attack on the Euler platform,” it read. “We are writing to see whether you would be open to speaking with us about any potential next steps.”

The request for a 90% fund return would see the hacker send back $176.4 million while holding onto the remaining $19.6 million.

However, many observers have noted that the hacker has very little to no incentive to follow through with the deal.

“If I was the hacker I’d simply say ‘to anyone who manages to track me down, I will give you $2 million not to tell Euler,’” one observer said.

“Yeh he has 200 Million they have 2 Million. He wins in a bidding war,” another Twitter user wrote in response.

Euler Labs said it was already working with law enforcement in the United States and the United Kingdom, along with engaging blockchain intelligence platforms Chainalysis, TRM Labs and the broader Ethereum community, to help track down the hacker.

Related: DeFi protocol Platypus suffers $8.5M flash loan attack, suspect identified

The lending platform added it was able to promptly stop the flash loan attack by blocking deposits and the “vulnerable” donation function.

As for the exploited code, the team explained that the vulnerability “was not discovered” in the audit of its smart contract, which had existed on-chain for eight months until bei exploited on March 13.

SEC Chair Gary Gensler Ends Tenure a Year Early to Avoid Trump’s Axe