The pilot project of Brazil's CBDC 'Real Digital' allows the freezing of user wallets and reducing balances | Central Bank confirms discoveries made by a developer in the source code, but does not say whether functions will be maintained in the final vers

\this report was* originally posted on Portal do Bitcoin (in Portuguese-BR), by myself.

Central Bank of Brazil's building

After initially publishing the documentation about the Real Digital (Brazilian CBDC) pilot project on GitHub last week, the Central Bank of Brazil also allowed the start of a public audit of the system's source code.

This audit entered the radar of a number of developers, who began to analyse the code. Finding out about a few unknown code functions (commands).

These functions allow the controllers to make several (and relevant) changes in the data of the CBDC’s ledger, direct affecting its users.

In addition to operations such as “minting” Real Digital tokens and enabling/disabling target accounts, explained in the documentation, a developer found other functions by applying reverse engineering techniques to the material made available by the Central Bank.

These resources can be executed by any entity that receives proper permissions from the controlling entity of the new system — i.e. the Central Bank.

Among the changes authorities could potentially make using these functions are, for example:

• Freeze/Unfreeze specific accounts;
• Increase/Decrease financial balances of frozen accounts;
• Move Real Digital coins (or other network tokens) from chosen addresses to another address;
• Create/Burn coins at/from certain addresses.

Pedro Magalhães is the one responsible for the discovery. He is a full-stack developer specializing in blockchain, DeFi and also in the Solidity programming language, the same used by the Central Bank in Real Digital.

Portal do Bitcoin also checked and confirmed with other developers the existence of these functions in the Real Digital source code.

Asked by the report, the Central Bank itself also admitted the possibility of executing the functions discovered by Magalhães. “The BC and institutions already have similar functionalities in the current environment of systems such as SPB and Pix, their use being governed by law and regulation”, informed the country's monetary authority.

How was the discovery been made

In the documentation shared last week, the responsible authority states that the Real Digital pilot project is intended for use only in a test environment and should not be reproduced for real operations.

One of the purposes of publishing the pilot, as written in the project's so-called “Onboarding Kit”, is to receive feedback — leaving all documentation subject to evolution or changes. And that's exactly what developer Pedro Magalhães did: he provided feedback.

“Recently, I delved into the world of ABIs (interfaces) of Real Digital, a Central Bank’s initiative, with the intention of exploring possible vulnerabilities for purely didactic purposes”, says Magalhães.

The expert developer announced his discovery on LinkedIn on Tuesday (4): “I discovered Solidity’s Source Code of the CBDC through the ABI of Real Digital using reverse engineering”. It refers to Source Code in the programming language, Solidity.

In conversation with Portal do Bitcoin, Pedro Magalhães explained that an Application Binary Interface (ABI) is “basically a way to interact with smart contracts on Ethereum. It is like a manual that tells how the contract can be read and written.”

As for reverse engineering, the developer explains that it is a technique to understand how a system works just by observing its behaviour.

“I analyzed the ABI to understand Real Digital's functionalities and discovered the various functions they implemented.”

Based on this analysis, Pedro says it was possible to recreate the smart contract in Solidity (the computing language) used in the pilot project. This contract enables the execution of the following functions:

disableAccount: Disables an account authorized to transfer tokens.

enableAccount: Enables an account previously disabled for token transfers.

increaseFrozenBalance: Increases the frozen balance of a wallet address.

decreaseFrozenBalance: Decreases the frozen balance of a wallet address.

transfer: Overrides the ERC20 transfer function to include account status checks and frozen balances.

transferFrom: Overrides the ERC20 transferFrom function to include account status checks and frozen balances.

mint: Creates new Real Digital tokens for a specified address.

burn: Burns (destroys) a specified amount of Real Digital tokens.

pause: Pauses token transfers.

unpause: Resumes token transfers.

frozenBalanceOf: Retrieves the frozen balance of a wallet address.

authorizedAccount: Checks if an account is authorized for token transfers.

move: Transfer tokens from one wallet to another.

moveAndBurn: Transfers and burns tokens from a wallet.

burnFrom: Burns tokens from a specified account.

These functions can be performed by any entity authorized by the Central Bank through another function (also present in the source code), called Access Control.

Still according to the expert, the Central Bank has several smart contracts. “What most people are going to use on a day-to-day basis is the ERC20-based smart contract to transfer value.” ERC20 is the Ethereum (ETH) network token standard, very common in the cryptocurrency market and in the decentralized finance (DeFi) ecosystem.

“These exclusive functions will also be used in the main network, which is the system that everyone will use on a daily basis that was created using Hyperledger Besu technology to build this network”, concludes Pedro.

\this report was* originally posted on Portal do Bitcoin (in Portuguese-BR), by myself.