August 14, 2023

PayPal Launches PYUSD Stablecoin: Analysis of Centralized Stablecoins' Smart Contracts

On August 7th, payment giant PayPal announced the launch of the PayPal USD (PYUSD) stablecoin. This stablecoin is issued by Paxos and its contract has been deployed on the Ethereum mainnet. Upon inspecting its contract code, it becomes evident that the PYUSD contract code is quite similar to that of USDP, another stablecoin issued by Paxos. The only notable difference is the addition of an external function called "increaseSupply."

Centralized stablecoins primarily operate by collateralizing with fiat currencies. The stablecoin issuer will stake assets such as fiat currency in a bank account as a reserve for its on-chain stablecoins. This article primarily employs Beosin VaaS to scan stablecoins' smart contracts, examining their logic and uncovering differences among various types of centralized stablecoins.


1.  Potential Fees

USDT employs two variables, namely "basisPointsRate" and "maximumFee," to define the fees users need to pay to Tether Ltd. when using USDT. The highest fee is set at 50 USDT. Currently, these two variables are both set to 0, indicating that users do not need to pay any additional fees to Tether Ltd. when using USDT.

Contract Address:

2.  Blacklist:

Tether Ltd. has implemented a blacklist function in the USDT token contract. If an address is added to the blacklist, that address is restricted from invoking the "transfer()" or "transferFrom()" functions to move USDT. Moreover, Tether Ltd. has the capability to use the "destroyBlackFunds()" function, which sets the USDT balance of blacklisted users to 0, thereby countering blacklisted users.

Contract Address:


USDC does not impose any fees. Similar to USDT, USDC also employs a blacklist mechanism where addresses on the blacklist are unable to invoke any functions of the USDC contract. However, USDC does not possess a function akin to USDT's "destroyBlackFunds()" function.

All external functions of USDC require that the address is not on the blacklist.


1.  Blacklist

The code of USDP, BUSD, and PYUSD is fundamentally similar. Like other centralized stablecoins, they also feature a blacklist functionality, enabling the addition of an address to the "frozen" list to restrict transfers related to USDP and PYUSD. USDP, BUSD, and PYUSD have a function called "wipeFrozenAddress()," which serves a purpose similar to USDT's "destroyBlackFunds()" function, resetting the stablecoin balances of addresses in the "frozen" list to 0.

2.  Whitelist

USDP, BUSD, and PYUSD introduce the concept of "assetProtectionRole," akin to a whitelist. Addresses adorned with the "assetProtectionRole" modifier can add an address to the "frozen" list or invoke the "wipeFrozenAddress()" function.

3.  Gasless Transfers

USDP, BUSD, and PYUSD further provide two functions: "betaDelegatedTransfer()" and "betaDelegatedTransferBatch()." These allow users to initiate stablecoin transfers without incurring gas fees, by providing signed information and enabling approved parties to act as proxies for users in the transaction.


Centralized stablecoins adopt blacklist mechanisms to meet regulatory and anti-money laundering requirements. Stablecoins issued by Paxos offer some innovations compared to USDT and USDC. PayPal's deployment of stablecoins on public blockchains will further advance the USD stablecoin market, enabling millions of users to enter the realm of cryptocurrency through the PayPal payment platform.

Beosin is a leading global blockchain security company co-founded by several professors from world-renowned universities and there are 40+ PhDs in the team, and set up offices in 10+ cities including Hong Kong, Singapore, Tokyo and Miami. With the mission of "Securing Blockchain Ecosystem", Beosin provides "All-in-one" blockchain security solution covering Smart Contract Audit, Risk Monitoring & Alert, KYT/AML, and Crypto Tracing. Beosin has already audited more than 3000 smart contracts including famous Web3 projects PancakeSwap, Uniswap, DAI, OKSwap and all of them are monitored by Beosin EagleEye. The KYT AML are serving 100+ institutions including Binance.


If you need any blockchain security services, welcome to contact us:

Official Website Beosin EagleEye Twitter Telegram Linkedin

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Essential Auditing Knowledge | What is the Difficult-to-Guard “Read-Only Reentrancy Attack”?

    August 11, 2023

  • Recklessness Comes at a Cost? Zunami Protocol Attacked for Price Manipulation with a Loss of $2.1M

    August 15, 2023

  • Beosin Invited to Conduct Blockchain Security and Regulatory Training for MAS

    August 21, 2023

  • Analysis of Exactly Protocol’s $7.3M Exploit: How the Permit Check is Bypassed

    August 22, 2023

Join the community to discuss.