Updated with Paxos comment:

Stablecoins, cryptocurrencies tied to tangible assets such as fiat currency, have been gaining more attention recently after two were recently given regulatory approval. Now the security of one is being questioned after a security “backdoor” opening was discovered in its code.

The stablecoin in question is the Paxos Trust Co. LLC’s Paxos Standard token or PAX, a one-to-one U.S. dollar-linked stablecoin that launched at the same time it gained regulatory approval.

First reported Thursday by The Next Web, the code for PAX has been found to have a function called “setLawEnforcementRole” that creates a new Ethereum address with administrative permissions over the circulating PAX supply. The new addresses come with additional functions including “freeze” and “wipeFrozenAddress” that lets “authorities” freeze wallets and addresses at will as well as allowing the destruction of any assets they possess.

As the name would suggest, it would appear that the backdoor has been created to allow law enforcement to access, freeze and even seize assets from those holding PAX tokens. Although there are reasonable arguments either way as to whether law enforcement should be given access in this way, the more serious problem is that the mere fact that the backdoor exists to begin with opens up the potential for PAX to be hacked.

A Paxos spokesperson countered that “we have no intention of ever giving unrestricted access to our code directly to law enforcement (or anyone else, for that matter).” She added that “the lawEnforcementRole is specifically intended for use only when we are required to do so by law.”

An audit undertaken of the Paxos code by Nomic Labs published Sept. 10 claimed that the code has no major issues but then does mention the setLawEnforcementRole in passing.

“Being able to freeze the systems is a desired capability to keep the token KYC friendly,” the audit found. “However, the current implementation doesn’t protect against front running. A highly sophisticated attacker might observe non-settled freeze attempts in the blockchain and race it with a transaction to transfer the coins from the being-frozen address to a second address in a cat-and-mouse game.” Put more simply, the existence of the feature means that it could be hacked.

Paxos said code is written because it’s required to have the capability to freeze or seize tokens. “Paxos has always been compliant as a core principle,” the spokesperson said. “We believe that there is a healthy market — especially amongst institutional investors who are also regulated and can only work with financial institutions like ours — who prefer to work with regulated and compliant entities and want the protection and stability of the government. We have always been clear that this is our approach.”

Indeed, the spokesperson said, “in the initial announcement about approval from our regulator, the New York State Department of Financial Services, they clearly stated that we were approved based on stringent requirements that we implement, monitor and update controls to prevent Paxos Standard from being used in connection with money laundering, terrorist financing or other illegal activities.”

Image: Paxos