Thanks to Ripple Labs’s landmark win against the U.S. Securities and Exchange Commission (SEC) in July 2023, the crypto industry’s general attitude has become noticeably rosier and newly optimistic. Even if the SEC has vowed to appeal the ruling.
So to no one’s surprise, traditional financial (TradFi) institutions suddenly want a piece of the cryptocurrency pie again. Enter PayPal announcing the launch of PYUSD, a proprietary stablecoin backed by the U.S. dollar in early August.
The problem? What was intended to be a milestone in TradFi adoption has landed with a thud amongst crypto natives, and it's not due to some personal vendetta.
Guy Vider is the co-founder and chief technology officer of Kima.
On a line-by-line basis in the smart contract’s code, PYUSD presents a litany of problems and vulnerabilities that clash directly with crypto’s decentralized framework. Without addressing these issues now, PayPal opens up Pandora’s box for other institutions to feel as though the rules of crypto don’t apply to them, giving them a license to remake the industry in their image and bulldoze over a well-established community.
PayPal’s centralized code conundrum
Before diving into PYUSD’s actual code, it’s worth mentioning the token’s purpose: to be purchased only from PayPal, and (currently) sold back only to PayPal. If that sounds familiar, it’s essentially a revamped crypto version of a walled garden or a closed loop of financial activity.
That doesn’t sound too awful, but given PayPal’s history of censorship, unilateral account closures, asset seizures and general lack of transparency, you would be right to question a crypto token controlled by an entity that can swipe your funds for the slightest of reasons.
One caveat to also note is that these opinions are based on the initial PYUSD contract unveiled in early August, and that contract’s code can be changed at any time. For all we know, it is nothing more than a beta.
But immediately when examining PYUSD’s code certain vulnerabilities emerge. Some of these issues are inherent to smart contracts, like freezing and even potentially wiping out account balances if it's exploited. That would undoubtedly undermine trust in the stablecoin and deter adoption.
Speaking of security, we can’t ignore the stablecoin’s blacklist function. To be clear, other leading stablecoins, such as Circle's USDC and Tether's USDT, use a built-in blacklisting mechanism to combat hackers and criminals from accessing them. Using a blacklist is practically an industry standard.
Implementing a blacklist, however, requires either a government order or proof of a hack to lock funds — and they can be unlocked at any time should circumstances change.
PYUSD’s code has a function called “wipeFrozenAddress” that “Wipes the balance of a frozen address, and burns the tokens.” This means the tokens are taken from the user and wiped from the total supply of tokens with no recourse, akin to throwing dollar bills into an incinerator.
PYUSD also has a built-in “pause” functionality, suggesting that PayPal can stop transfers or trades of its tokens universally at any time, potentially causing a massive loss of value. Imagine if the U.S. government could push a button and make all the physical dollar bills in your wallet unusable until further notice, and you only found out when you tried to buy a cup of coffee.
With PYUSD, the discretion of confiscating funds from users remains solely in the hands of a company that has shown time and again it cannot be trusted with such power.
See also: Crypto Means Absolutely Nothing Without Censorship Resistance | Opinion (2022)
Additionally, the code’s “assetProtection” feature threatens crypto’s decentralized perspective, echoing the faults within TradFi that instigated the birth of crypto and decentralized finance (DeFi) to begin with.
This “centralization attack vector" only further serves to position PYUSD more as a digital version of traditional fiat currency rather than the intended decentralized stablecoin it wants to be.
What does that mean for everyone else?
Code flaws aside, a major financial player like PayPal entering the stablecoin arena does signify a notable shift in the stance of TradFi towards crypto.
Considering PayPal’s influence, it would be unsurprising if other major payment processors, who have already begun dipping their toes in crypto’s waters, take this as a cue to drastically up their pursuit of similar ventures. But they would be ill-advised to simply copy and paste PayPal’s proposition at face value.
In the short term, cryptocurrency exchanges and other projects will likely try to ride PayPal’s outsized reach and user base by listing or adding support for PYUSD. Crypto companies will probably experiment with its capabilities and borrow the sheer name recognition that PayPal brings to divert attention to their own products.
In the long term, however, it is likely that those concerned with preserving decentralization may hesitate to fully embrace PYUSD over more established, regulated, or non-regulated stablecoins due to PayPal’s punitive history and lack of liquidity.
But even if PYUSD is a misfire, the overall changing TradFi sentiments in the wake of PayPal’s stablecoin move signal an increasingly positive future for DeFi and crypto in general.
See also: Reject CBDCs, Embrace the Right to Transact | Opinion
Looking into the features encoded within PayPal’s smart contract spotlights its insistent over-reaching centralized control of users’ finances. Features such as its sole determinations of “misinformation” and subsequent sole discretion to impose financial penalties are equally if not more worrisome.
Likewise, its ability to transfer all funds from user wallets into PayPal leaves many crypto natives hesitant to adopt, viewing it as antithetical to the principles of cryptocurrency, potentially causing hesitation among potential adopters.
Ultimately, PayPal’s foray into the stablecoin market showcases the wrong way to merge paths between TradFi and the crypto sector. If PYUSD is to gain true and lasting traction, PayPal needs to address centralization concerns and ensure its resilience against current and future vulnerabilities.