Trust – white hat hacker and head of Smart Contract Auditing Firm Trust Security – sheds some light on a special feature of the smart contract powering PayPal’s new stablecoin PYUSD.
In a recent tweet, Trust pointed out that they have “seen a lot of criticism of PayPal for using an old Solidity compiler.”
Seen a lot of dunking on @PayPal for using an ancient Solidity compiler. Here's why I think it is actually a 200IQ move! 🧵 pic.twitter.com/jYN5eRNiNT
— Trust (@trust__90) August 8, 2023
As noted in a recent article, an analysis of the smart contract revealed that the company was using Solidity compiler version 0.4.24.
Considering that version 0.4.24 of Solidity was released on May 16, 2018, it turns out that PayPal’s chosen version was indeed ancient. Yet this is not necessarily a bad thing.
Trust explained that when choosing a Solidity compiler version, a programmer is looking for a compromise where the latest versions guarantee lower gas consumption and more features. Older versions, on the other hand, have been tested longer and contain fewer unknowns.
In other words, older compilers are less likely to contain unknown vulnerabilities. He concluded that someone might want to use an older version “because it has stood the test of time.”
Furthermore, Trust also pointed out that PayPal’s token is powered by a single short smart contract and the Safe math library. This shallow complexity system requires no new features, with the goal being “ultra-robust code that will be used for the next 10+ years, not to do anything special.”
Trust also explained: “The simpler the codebase and the fewer integrations with external code, the sooner you can set the compiler version and get away with it.”
Additionally, this is also in line with the cybersecurity principle of reducing the attack surface – where programmers try to make a system as simple and barebones as possible to reduce the chance of vulnerabilities hiding in unnecessary complexity and libraries.
Trust further emphasized that “immutable smart contracts are inherently different from traditional software” as there are no “periodic patch days or emergency releases.” The only viable approach is to “hope that all components of the codebase are secure at some point in time,” and that PayPal developers “can now rely on five years of compiler testing.”
