An expert has discovered that Brazil’s central bank would have the power to block, drain, freeze, and change balances in users’ CBDC accounts.
Brazil’s CBDC pilot can freeze and drain accounts. Brazilian authorities are developing the digital Real as a pilot project, and its functions still need to be determined. A critical new finding in the code of Brazil’s central bank digital currency (CBDC) pilot system has prompted some questions and concerns about financial privacy.
Pedro Magalhães, a Blockchain developer and founder of technology consulting firm Iora Labs, claims to have discovered functions in the CBDC code that would allow the Brazilian authority to change users’ accounts. The developer shared his findings through various social media channels shortly after the Central Bank of Brazil uploaded a collection of documents related to the CBDC, also called Real Digital, to the Banco Central do Brasil GitHub repository. The repository contains information needed by participants in the pilot program while allowing for public system audits.
Magalhães, who also published an article in Brazilian media outlet Portal do Bitcoin detailing the revelations, claimed to have “reverse engineered” the open source code of the digital Real, finding that functions include freezing and draining funds from an address at the authority’s discretion.
Significant findings in the Digital Real code
The report lists over a dozen functions, including the ability to freeze and unfreeze accounts, increase and decrease balances, deactivate and activate accounts, move balances from one address to another, pause and resume transactions, and create or burn (destroy) coins from any address.
“Any entity authorized by the Central Bank can execute these functions through another function (also present in the source code), called Access Control,” Magalhães explained in the note to Portal do Bitcoin.
“They can also use the functions in the main network, which is the system that everyone will use daily and created using Hyperledger Besu technology to build this network,” he added.
Brazil’s monetary authority has previously indicated they intend to use the CBDC pilot project only in a test environment. Authors could modify many of these functions later should they proceed with the project. Magalhães said that it is “likely” that the central bank will retain these functions for secured lending and other decentralized finance-based (DeFi) transactions. However, in his view, the problem lies in the code’s lack of specificity about the circumstances under which someone could freeze the accounts and the power to execute such functions.
“It is one thing to agree on a transaction and execute a DeFi transaction involving different blockchains. It is another thing entirely for an institution to be able to freeze the balance on its initiative, which is precisely how they have developed smart contracts.”
The expert also considered that the population should publicly expose and discuss these aspects of the system, something that “has not yet been done,” as he commented to that newspaper. He also noted that several of these functions have a counterpart in existing Brazilian Central Bank payment systems such as SPB and Pix.
Brazil moves forward with CBDC testing
Magalhães made the discovery thanks to his expertise in Solidity. Brazil’s authority uses the programming language to develop the digital Real. He did so through Application Binary Interface (ABI), which is “basically a way to interact with smart contracts in Ethereum. It’s like a manual that says how to read and write the contract.”
The digital pilot runs on Hyperledger Besu, a privately operated Ethereum Virtual Machine (EVM) compatible blockchain. Although according to reports, the authority plans to build its own Layer 1 Blockchain network for the final project. The developer has already provided feedback on the project on the Iora Labs GitHub repository.
The Central Bank of Brazil began its CBDC pilot program this year in partnership with 14 financial institutions, including Bradesco, Nubank, Itaú, and, most recently, Bitcoin Market. There is no date yet for an official public launch of the system. The authority has indicated that it plans to continue testing before taking steps in that direction. As more nations explore their digital currencies, concerns have emerged about CBDCs’ ability to invade privacy and infringe on people’s financial freedom.