Paxos’ 300 trillion fat finger raises concerns over PYUSD integrity

Whale alerts began to blare across the cryptosphere yesterday after Paxos minted 300 trillion of PayPal’s stablecoin, PYUSD, valued at over double global GDP.

The tokens were burned 22 minutes later, but many were left worried by Paxos’ ability to create such an unfeasible quantity of tokens out of thin air. The official response did little to address concerns.

At 3:12 PM EST, Paxos mistakenly minted excess PYUSD as part of an internal transfer. Paxos immediately identified the error and burned the excess PYUSD.

This was an internal technical error. There is no security breach. Customer funds are safe. We have addressed the root…

— Paxos (@Paxos) October 15, 2025

Read more: PayPal and Ripple stablecoins still sub-1% despite ‘stablecoin gold rush’

Responses centered on the lack of explanation and the apparent failure to compare any mint instructions against a proof of reserves.

Paxos claims to “have addressed the root cause,” but has yet to provide a post-mortem on how the error occurred, nor any steps taken to mitigate the risk of a repeat.

According to DeFiLlama data, PYUSD is the crypto industry’s eighth largest stablecoin, with a market cap of 2.64 billion.

The total stablecoin market cap is $307 billion, or just over one thousandth of the tokens minted yesterday.

just got fired from Paxos.

my job was to count decimal places and typecast uint256s. looking for work starting in January 2026000000000000.

— Josh Cincinnati (@acityinohio) October 15, 2025

Read more: $10M accidentally burned as Solana memecoin craze continues

A difference of trillions

After the initial wave of mockery died down, the crypto community began to examine the error’s implications.

Trading Strategy’s Mikko Ohtamaa suspects the error was likely a result of design choices in the token itself.

PYUSD uses six decimal places, whereas the vast majority of ERC-20 tokens use 18 decimals, a difference of trillions.

Security researcher Daniel Von Fange notes that there are ways to avoid mistakes such as yesterday’s.

Circle, for example, while also using just six decimals in its $75 billion stablecoin USDC, pre-authorizes certain addresses to control “limited total amounts that they can mint.”

Von Fange also points out that, without any sanity-check failsafes, hackers would be able to mint similar amounts. In the event that Paxos was to be infiltrated (the modus operandi of North Korea’s notorious Lazarus Group) PYUSD could be dumped to zero for its available trading liquidity, or borrowed against to drain lending protocols.

Read more: FBI confirms North Korean ‘TraderTraitor’ to blame for $1.5 billion Bybit hack

Indeed, decentralized finance (DeFi) lending protocol Aave decided to temporarily freeze PYUSD in response.

Another observer noted that 300 trillion tokens is an easy spot; a “less obvious error” may slip under the radar.

Coinbase’s Conor Grogan puts the incident top of the largest accidental mints in history. Other notable incidents include Binance accidentally minting its own wrapped ETH on two occasions, a bug on creating $14 billion worth of extra BTC, and Tether making a 100X fat finger error in 2019.

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.