Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Stablecoin issuer Paxos admitted in a statement that the account that paid out nearly 20 BTC in fees in a single transaction in the early hours of September 11 belonged to the company. Paxos claims that end users have not been affected and all user funds are safe. The announcement comes after users on twitter speculated that PayPal could be responsible for the transaction, as analytics platform OXT identified relevant wallet accounts belonging to PayPal. A Paxos spokesperson said: "PayPal takes no responsibility for this as this error was caused by Paxos itself. This transaction affected Paxos company operations, Paxos customers and end users were not affected, and all customer funds are safe. This was caused by a vulnerability in a single transfer, which has now been fixed. Paxos is contacting miners to recover the funds." Attack method (per SlowMist): Transfer Vulnerability. Reported loss: $ 500,000.
- chain
- —
- protocol
- Paxos
- bug_class
- unknown
- date_occurred
- 2023-09-11
- loss_usd
- $500,000
- source_id
- sm:paxos::2023-09-11