Brazilian CBDC pilot source code includes methods to freeze, drain wallets
Brazil's CBDC pilot includes functions to freeze and unfreeze wallets, as well as functions to move, mint, and burn funds.
Banco Central do Brasil published the source code for its CBDC on GitHub last week and allowed the public to conduct an audit of the system’s code.
Developers soon found concerning functionality in the source code of Brazil’s CBDC pilot, including mechanisms to control individual wallets and the funds they hold.
Concerning functions
Developers quickly began analyzing the code and found that the smart contract included admin functionality called “Access Control,” which the central bank could share with trusted entities.
Access Control in this context functions similarly to administrative rights or privileges on a computer network. Its main purpose is to allow trusted entities to mint and burn the CBDC token on any address in the system.
Full-stack developer Pedro Magalhรฃes reverse-engineered the code and found a number of concerning functions that can be executed by entities that have Access Control permission.
These include freezing and unfreezing of wallets; increasing or decreasing the frozen funds; moving funds from one address to another; and pausing withdrawals and transfers.
Magalhรฃes shared a a list of the functions:
“- disableAccount: Disables an account authorized to transfer tokens.
– enableAccount: Enables a previously disabled account for token transfers.
– increaseFrozenBalance: Increases the frozen balance of a wallet address.
– decreaseFrozenBalance: Decreases the frozen balance of a wallet address.
– transfer: Overrides the ERC20 transfer function to include account status checks and frozen balances.
– transferFrom: Overrides the ERC20 transferFrom function to include account status checks and frozen balances.
– mint: Creates new Real Digital tokens for a specified address.
– burn: Burns (destroys) a specified amount of Real Digital tokens.
– pause: Pauses token transfers.
– unpause: Resumes token transfers.
– frozenBalanceOf: Retrieves the frozen balance of a wallet address.
authorizedAccount: Checks if an account is authorized for token transfers.
– move: Transfer tokens from one wallet to another.
– moveAndBurn: Transfer and burn tokens from a wallet.
– burnFrom: Burns tokens from a specified account.”
The Brazilian central bank confirmed that the code included these functions in the test version of the CBDC. However, it did not clarify whether these functions would be present in the final version as well or if they are just there for test purposes.
The watchdog also told local media that such functionality already exists in the traditional financial system in some form to combat illicit financial activity, and their use is heavily regulated by the government.
Fears
The sector of cryptocurrency has persistently raised concerns about the potential of a CBDC to curtail financial freedom by potentially limiting participation in the financial system. Some argue that governments cannot be trusted with such overt control of an individual’s finances and that financial privacy is a basic human right.
The Brazilian CBDC pilot, which includes some of the very functions privacy advocates have warned about, has been identified by the community as an immediate cause for concern.
Famous whistleblower Edward Snowden has been warning of the risks of CBDCs becoming “policy tools” for years. He said during an interview recently that CBDCs are “cryptofascist currencies” that could “annihilate” the savings of an average wage worker.
Many U.S. lawmakers share these concerns and are working on methods to try and block the development of CBDCs in the country. The Federal Reserve has publicly stated that it does not intend to develop a CBDC because current systems are already up to par for domestic transactions.
However, the U.K. and most of Europe do not share these sentiments and are in various stages of developing their own CBDCs.