Paxos Standard (PAX) Audit Report Released Online
Nomic Labs, a smart contract and decentralized system auditing company, just released its audit report for the Paxos Standard (PAX), including the Paxos Stablecoin system.
You can view the full report here: https://medium.com/nomic-labs-blog/paxos-standard-pax-audit-report-ca743c9575dc.
“We conducted two security audits of the Paxos Stablecoin system, Paxos Standard (PAX), and no vulnerabilities were found,” according to auditors at Nomic Labs.
However, security auditors did have recommendations around the Paxos system. The Paxos team has already responded to those recommendations.
Earlier this week, New York-based Paxos released a USD-backed stablecoin approved by New York regulators. The news came the same day as the release of the Gemini Coin, launched by crypto exchange giant Gemini as another New York regulator-approved, USD-backed stablecoin.
Paxos is described as a Blockchain Trust company. The company markets itself as “a fiduciary and qualified custodian of customer funds.” Now, it aims to enter the market in a big way with the launch of a safe, regulated stablecoin.
What Did Auditors Find?
Typically, Nomic Labs will separate its audit into different issues based on severity, including critical severity, high severity, medium severity, and low severity. Auditors did not find issues with any level of severity during the Paxos audit.
Auditors did have four recommendations and comments for the Paxos project, including:
- Consider using pragma experimental “v0.5.0”, as it’s been recommended by Solidity since version 0.4.21. This pragma opt-ins to upcoming breaking changes.
- StablecoinImplementation#initialize returns an unused boolean. The intention for doing so is not clear. We recommend documenting it or removing the return value.
- StablecoinImplementation#setSupplyController and transferOwnershipemit events before modifying the state. We recommend using the Checks-Effects-Interactions Pattern in every function that modifies the state.
- StablecoinImplementation#setSupplyController doesn’t check that _newSupplyController is not 0x0, which can lead to accidental misconfigurations in the system.
Paxos Has Responded To All Four Of The Comments And Recommendations.
The Nomic Labs audit also mentioned another interesting thing about the Paxos system: the Paxos stablecoin is an ERC20 token, but ERC20 functions like allowance, approve, and transferFrom are not present.
“Removing these functions will decrease the interoperability of the token, as most contracts dealing with ERC-20 use them. For instance, the 0x protocol uses them to execute trades without getting custody of the users’ funds.”
Paxos provided an explanation to auditors describing why these functions were not included. However, the Nomic Labs auditors “consider the explanation to be incomplete.” Later, Nomic Labs updated their audit to explain that Paxos had added the standard implementation for ERC-20 tokens.
Another important thing to note is the Paxos approach to law enforcement. The auditors noted that Paxos has the ability to freeze the system to keep the token KYC friendly.
“However, the current implementation doesn’t protect against front running. A highly sophisticated attacker might observe non-settled freeze attempts in the blockchain and race it with a transaction to transfer the coins from the being-frozen address to a second address in a cat-and-mouse game.”
Paxos responded by stating that pausing the contract is a highly visible and highly disruptive action for the utility of the token because it does not allow anyone to transfer. Paxos does have a system in place to mitigate front running.
They’ll submit freeze transactions with high gas prices, for example, to ensure the transactions are quickly mined into the blockchain, removing the potential for a “cat and mouse” game.
Despite the numerous comments and recommendations, auditors from Nomic Labs insisted they found no major issues during their audit of Paxos:
“No security issues were found. Some changes were proposed to reduce potential attack surface, and the Paxos team has applied the fixes described above.”
Earlier this week, it was reported that Paxos, a Blockchain Trust company, had launched a USD-backed stablecoin approved by US regulators. The news was announced at the same time as the Gemini Dollar announcement – another USD-backed stablecoin approved by New York regulators.
In any case, it looks like the Paxos stablecoin and Gemini Dollar will compete with each other over the coming months. Based on this audit from the smart contract security professionals at Nomic Labs, Paxos has no security issues at present.