In October 2025, Paxos suffered an incident where approximately $300 trillion worth of PYUSD, a regulated stablecoin created by PayPal, was accidentally created. This flubbed internal transfer demonstrates the risks of centralized control and the limitations of stablecoin regulation.
Inside the Incident
The Paxos incident was the result of an incorrect internal transfer within Paxos. A typo in a transaction caused an intended $300 million transfer to balloon to $300 trillion. As a result, an amount of currency worth 2.5x the global GDP was credited to a Paxos-controlled account.
After discovering the issue, Paxos quickly moved to resolve it; however, blockchain immutability means that a transaction recorded on-chain can’t just be reversed. Instead, the tokens were transferred to a burn address with an unknown private key, making them inaccessible to anyone. With the supply of PYUSD restored to normal, Paxos was able to perform the internal transfer again at the intended $300 million.
This incident was made possible by the fact that the supply of PYUSD was managed by a single externally owned account (EOA) with unlimited mint privileges. Without a multi-signature wallet or built-in controls, it was possible to mint new tokens without appropriate reserves or other controls.
In the wake of the incident, Aave and other protocols froze trading on PYUSD until the dust settled. The mistake also threatened the firm’s efforts to get a national trust charter with the OCC.
Lessons Learned from the Incident
The Paxos PYUSD incident demonstrated the limitations of regulated stablecoins without technical controls. While the PYUSD currency operated under certain rules, the reality is that these rules could be broken by anyone with control over a particular private key. While this incident was caused by a Paxos employee and quickly reversed, an attacker with control over that key could have performed a similar malicious mint, cashed out, and completely destroyed the value of the cryptocurrency.
As stablecoins increasingly move into the mainstream and operate under regulatory scrutiny, it is vital that issuers implement security best practices to protect security and enforce compliance with regulatory requirements. In this case, the introduction of a multi-sig wallet and built-in guardrails on minting could have prevented an accidental mint of this scale.
Halborn offers advisory services designed to help stablecoin issuers address these and similar challenges throughout the development and deployment process. To learn more about how Halborn can help, get in touch.