> But in our email exchanges, he argued that he'd executed a perfectly legal series of trades.
In real finance, there is an understanding that technical loopholes can exist, since not every outcome can be foreseen when writing laws, but the legal system can frequently prosecute against a series of actions which are, individually, legal, but which together are taken in order to achieve something illegal.
That is, modern finance and the law also attempt to deal with intent.
But in the Ethereum smart contracts world isn't the whole premise that the code is the law? That we don't need any of these pesky courts or banks or auditors or anything: the code is the law, and the decentralized blockchain will enforce it.
With this worldview, if the attacker simply exploited poorly-written code to find a loophole, how do the owners of Index have a leg to stand on?
This is a thing that confused me about smart contracts. I don't see how they can exist without a judicial system. They do seem to have some uses under that framework. Like the system is auditable so you can prove if someone cheated and changed a contract out from under you (and you lost your copy), but that's only a minor improvement on the current system. The US has a lot of legal policy that is based on spirit of the law because it is well recognized that humans are imperfect and never will be. It then seems silly that people who are fully aware of failure analysis/engineering would design a system where the mode of failure is easily exploitable.
The legal system has failure modes that are just as easily exploitable, but humans can intervene and reverse the failure, make people whole, etc.
The problem with smart contracts isn't that there are bugs, but that buggy results are final with little to no recourse, by design, unless you get everyone to agree to hard fork the chain (rolling the "bad" transactions back and eplacing the buggy contract) and/or the implementation (if the bug was in the platform rather than the contract).
The legal system has a similar principle of not being liable for conduct that predates a ruling or law that forbids it, but it also has the principle of agreements being interpreted according to common sense understanding by a person with ordinary skill, and where skill differences exist between them the non-expert's interpretation is the one given precedence.
These meta rules don't have equivalents in smart contract systems, which makes them brittle. The only way smart contracts end up being used for non-trivial purposes is if they are made explicitly subordinate to the existing legal infrastructure in ways that will gum up the works, or if smart contracts are subject to mandatory formal verification possibly including game theoretic 2nd order effects.
Yeah, you're totally right. I'm very curious to see where things settle out. How does one ever infer intent from a system with anonymous contributors? We do live in interesting times.
If the kid in the story had speculated about his attack it would be an opinion. His attack demonstrates that it is fact. Contrast this with your opinion that the courts will decide his actions were illegal.
You're reading things I didn't claim. I don't have an opinion on what the courts will decide, I basically said we don't know. My claim is factual and it will be regardless of the outcome.
AFAIK the legal system still applies to crypto; the recourse when somebody hacks your smart contract is the same as when somebody defrauds you; you sue. Except with smart contracts you have more traceability as to what happened.
And you don't need to make the smart contract explicitly subordinate to the law, they are as a matter of fact, because everything de facto is. This idea that code is law and crypto exists in a vacuum is complete delirium (although a popular one and sign that the scene has a lot of room to mature)
The legal contract of the EVM is “you are allowed to execute any computationally legal sequence of instructions on the EVM”. At least that’s how it has always been presented.
People who post smart contract code on the EVM are equal users of a shared computation infrastructure. If they want to put legal terms on who can use their smart contract and what for, they should need to make their own blockchain platform, because they certainly don’t own Ethereum.
The law already regulates mistakes in traditional markets. If you accidentally sell your shares for a fraction of what they are worth, you cannot go to a judge and ask them to return the “stolen” shares. When you subject yourself to a mechanistic market system, the predictable operation of the system is more important than any participant’s bad fortunes.
> The legal contract of the EVM is “you are allowed to execute any computationally legal sequence of instructions on the EVM”.
Where is this contract? I've never seen it. The rest of your argument is based on this premise. The "legal contract" of a computer program is the same, yet we have laws on what you can and can't do to other people's computer programs.
> The law already regulates mistakes in traditional markets. If you accidentally sell your shares for a fraction of what they are worth, you cannot go to a judge and ask them to return the “stolen” shares.
Someone taking all the money from a smart contract you gave money to is not like your fictional example of a person selling their shares for the wrong value.
The jury just needs to believe “this person stole something,” and there’s a good chance they’ll judge accordingly. At least there’s a good enough chance that it will happen that it will likely lead to an out of court settlement.
I think a lot of the appeal of crypto/smart contracts is that they are final with little to no recourse, humans can't intervene and exploit failure modes which individuals using the so-called contracts can't defend against.
Corporations and wealthy individuals with influence in the writing of this legal system, with massive amounts of financial resources, with negligible moral agency, and with limited criminal liability find very different utility in the ability to use the legal system to roll back contracts, to enforce them, or to ignore them.
Those who find themselves on the other side of this power disparity would often prefer to risk a potentially buggy but inviolate contract than one which they expect to be abused against them.
> Those who find themselves on the other side of this power disparity would often prefer to risk a potentially buggy but inviolate contract than one which they expect to be abused against them.
There is no way that AT&T, Comcast or Bank of America will ever agree to a smart contract written by an ordinary customer. As always, the companies will write their own contracts, and customers will either accept them, or leave. And if the company has monopoly power, tough luck.
so what happens if the company's smart contract has a bug in it, and the customer takes advantage of it?
In an analogous situation, if a shop mis-labels the price of an item (let's say, they forgot a zero or two for a $1000 item), the customer theoretically has the legal basis to purchase it at the labeled price. How is this scenario any different to a block chain contract with a bug?
If a site has prices stored on the frontend and a user edits the price to make it lower, do you think the user has a legal basis to receive the item at their new specified price? I don't think many jurisdictions would say they do.
Further, in many places your example itself falls apart.
> If a site has prices stored on the frontend and a user edits the price to make it lower, do you think the user has a legal basis to receive the item at their new specified price?
There was a case like that in the early days of online shopping, which was actually decided in favor of the customer. The prices of items in the shopping cart were stored in form fields, and the customer edited them before placing the order. The court considered that a counter-offer which was accepted by the store. (It probably wouldn't go that way today; for one thing online stores have gotten smarter about trusting data from the client.)
That's a bit different from simply editing the client-side view and never informing the merchant about the change, of course.
I want to know what kind of contracts people entered into before this where they thought they were being abused by a big corporation?
This seems like a noble endeavor, but not an entirely practical one. Both sides of a transaction have to agree to these smart contracts, so where is this an advantage (outside of internal crypto trading)?
A bunch of those many-to-one individual:corporation contracts (like phone service) are in such imbalanced markets that you'd have to overcome the power balance problem in order to get the other party to adopt the "smart" contract.
But if you can overcome the power balance problem, you can just fix the contracts directly anyway without them being smart?
I don't know what jurisprudence you live under, but under English common law (also America, Canada, etc) - which, I must say, I also always denounce and rarely defend - inequitable negotiating power between parties to a contract is considered by courts when adjudicating whether parties have broken it or can be awarded damages. We don't have a system where big powerful organizations can just dictate contracts to powerless individuals and then later enforce them.
Unfortunately US courts have taken a very dim view towards adjusting balance of power.
For example, I don't think there's anywhere else where the mere act of purchasing a product or service can result in you giving up the right to sue the company in court and be forced to enter arbitration with an arbiter of the company's choice.
That's ridiculous. If we're talking power disparities and differences in resources, corporations could just code up standard smart contracts with loopholes in them that allows the corporations to steal from their customers. It's not like customers have the resources to carefully audit the smart contract and make sure there aren't any backdoors that the corporation has written in to exploit.
During the financial crisis Goldmans traded against the trades of their customers, who were making trades Goldmans had recommended they make. They made a few hundred million on it. Goldmans that is, not their customers.
That's like saying corporations can release complex open source code with backdoors in it and the userbase won't notice. Are there any big instances of this happening?
> I don't see how they can exist without a judicial system.
Smart contracts don't have to exist outside the judicial system. Smart contracts are simply a way to automate transactions in a way that's efficient, transparent, and credibly neutral. Yes, we may still have to invoke courts for the 0.01% of transactions that are clear exploits. But the other 99.99% of the time, it's a much more efficient system than using written contracts to handle normal, everyday outcomes.
Even without blockchains or smart contracts, we already have automated systems that execute transactions based on algorithmic rules. If you blatantly exploit a vulnerability in those systems, then courts will generally punish you. That doesn't mean that automated systems are pointless, because 99.9% of the transactions aren't exploits. That's still a huge win, because it means we don't have to have our lawyers email redlines back and forth every time we want to trade an S&P index futures contract. (Near) fully automated transactions are 1) orders of magnitude more efficient, 2) expose general purpose composability where one automated system can be predictably inter-connected with another.
When you put an automated transaction system on-chain, you drastically increase the advantages of both, because you're embedded in an open application network with credible neutrality. A smart contract exchange like Uniswap can process about the same amount of volume as a centralized exchange like Coinbase, but the difference is that Uniswap only needs about 50 employees, whereas Coinbase needs 5000. That's primarily because Coinbase runs inside a silo'd network. That entails replicating many functions like user account management, that aren't necessary for an application like Uniswap that piggybacks off the credible neutrality of a decentralized consensus layer like Ethereum.
There's definitely way more real world contracts than smart contracts, and I'd be very surprised if the percentage of real world contracts that ended up with hundreds of millions of dollars being stolen on a daily basis is anywhere near the same ratio as it is for smart contracts.
Smart contracts, to date, have proven themselves to be truly idiotic inventions.
> The US has a lot of legal policy that is based on spirit of the law
Yes, but that's a wrong and unfair way to define and apply laws.
> humans are imperfect
Smart contracts and "code is the law" mantra don't contradict this. You're imperfect and you commit a mistake, you lose. You find a mistake in someone else's code, you win.
This is much better than the current legal system where we are all collectively forced to adapt to, or even pay for, someone else's mistakes.
>> The US has a lot of legal policy that is based on spirit of the law
>Yes, but that's a wrong and unfair way to define and apply laws.
Sounds like you're interpreting how to define and apply the law there based on what you feel is the right and fair way to do so. Seems a bit paradoxical.
I've seen this argument regarding smart contracts several times now, and I don't think it makes any sense. It's like robbing someone in real life, then claiming you did nothing wrong because you didn't violate the "laws" of physics. Those are two entirely separate things.
In the world of smart contracts code is indeed law, but that doesn't change the fact that in the real world law is law, and the fact that you used a smart contract to commit a crime doesn't make it any less a crime.
But that is the premise of smart contracts. Sure, it doesn't excuse you from the law if your contract is to pay someone to shoot someone, but it's supposed to be the final word on the actual financial transactions that happen within the contract.
Plenty of crypto hypers say the same. E.g. from a quick search of "Smart Contract advantages," the very first article, by a law firm:
> Guaranteed Outcomes: Potentially the most attractive feature, smart contracts could offer a way to substantially reduce or completely eliminate the need for litigation and courts. This is because when parties commit to using self-executing contracts, they bind themselves to the rules and determinations of the underlying code, rather than exposing themselves to interpretations med by parties outside of the contractual relationship.
Smart contracts allow for guaranteed outcomes. Some commentary added by a random law firm does not mean that guaranteed outcomes == no need for litigation and courts.
Just think of non-smart contract parallels. If a bank had an ATM, the premise is that this ATM will execute a series of commands and allow you to withdraw/deposit/transfer funds. If a nefarious back actor found a series of user input that allowed them to withdraw millions of extra dollars, do you believe that the ATM provider will have no legal recourse? What about electronic slot machines?
The difference is that the ATM provider did not explicitly promise that the “code is law” which directly implies that they want to and aggressively argue that they are waiving their legal recourse as long as they were valid user inputs.
In contrast, basically nobody outside of the blockchain space would waive their legal recourse in such a manner and thus would have legal recourse if the intent of their system was bypassed.
To go on to then argue that a legal system should not allow one to waive those rights as it would be idiotic to do so is a perfectly valid legal/moral/justice position, but also directly contradicts basically the entire purported value proposition of everything in the blockchain space whose primary “positive” differentiating factor is that “code is law” and they have waived those rights. To not allow them to do so basically invalidates their entire purpose.
Essentially, either let people bind themselves to “code is law” and suffer the consequence of their choice, or ban it at which point you lose decentralized trust and censorship-resistance making them no different than traditional implementations except that they are slower with higher operational costs.
Where and when did the defi protocol in question explicitly state "code is law"? No one is waiving legal recourse when they're using Web3. I'm not a lawyer but I'd be very surprised if one could even "waive legal recourse" just because it's blockchain all the way down vs mySQL.
I believe you're making this claim because _some_ crypto proponents believe "code is law" and because your personal logical framing is that web3 has no value add outside of being able to operate without legal recourse thus it must operate without legal recourse.
First, even if web3 had no useful value add, it doesn't mean it ought not exist. I can create a SaaS company that does exactly the same thing another company does just with my own logo and API documentation. Does non-uniqueness invalidate my company's existence? What if I forked an open source SQL database and slapped my name on the repo? Have you heard about something called substitute goods? I don't see why Pepsi can't exist in a world where only Coke is the norm.
Second, web3/blockchain/defi does have benefits outside of traditional web2/finance. The ability to not require depositing your funds into an account to transact on a protocol, for instance, is a clear value add. The ability to buy/sell NFTs without a middleman (if they choose to eschew a middleman) is a novel and potentially valuable value add as well. There are countless other applications of web3 that I won't delve into but these concepts can and should operate within bounds of legal recourse.
> No one is waiving legal recourse when they're using Web3.
I've seen quite a few people do this. May not everyone, but a lot. The "commentary added by a random law firm" is the general sentiment I understood when people were hyped up on smart contracts. There's an industry of smart contract programmers who write code under the assumption that there may be no recourse (to the legal system) if they introduced bugs.
If your attitude represents the sentiment of "web3" these days, it is really a very hilarious backtrack on the previous (hyperbole) claims...
A true non-smart parallel is this. You and I agree on a sporting event between humans. Because I want to construct a fantasy, let's just say it's a three-point basketball contest between adolescents (under 13).
The observer will pay $100 dollars per blocked shot, and earn $1 per 3 point play made. All the games are played 1v1. To the untrained basketball player participants, this may seem to be a fair game. After all, it's quite rare in a real basketball game to see a 3 point shot blocked. So they sign the contract, fully agreeing to pay $100 per blocked shot and earn $1 per made 3 pointer.
To game this as a participant, I go to the ends of the earth ( I hear Sudan and the Netherlands are both nice this time of year ), and find a 6'8 ,215 lb boy and recruit him to play for me. He proceeds to block every single shot in every contest, winning hundreds of thousands of dollars and bankrupting the organizers. Just to further weight this, I also hire an opposing player who is only 4'3 to shoot as many 3 points as possible as quickly as possible.
Now, they signed the contract and agreed to it. They didn't have a clause for height, or any sort of caps, and now they have unlimited downside. How would the legal system handle this? Do you think they would release the participants liability? Perhaps, but not likely if they didn't sign the contract under duress. They fully agreed and had consideration ( the $1 per 3 point made ).
It's a contrived example, but it's useful to show that technicalities can be exploited in real world contracts just the same as smart contracts.
I'm not extrapolating on the premise adding my own commentary. The parent commenter asserts an axiom (that we all purported agree with) and then links an observation to said axiom. I'm merely stating that the observation is not part of said axiom.
In a world where you're falling back to the legal system, why do I care if your buggy ATM is powered by a "smart contract" or by "regular" code? Why even do you care?
(There have been exploits in both ATMs and smart contracts, after all.)
I primarily care because I think there's money to be made.
But I also think the shift directionally makes sense. Traditional finance (really most transactions for that matter) have moved towards fewer middlemen dependent, more democratized forms of transactions (e.g. wealthy folks can call their traders to buy/sells stock -> open to middle class -> no need to call traders -> no fee no minimum online trading). To me, not requiring institutions to maintain custody of my funds is a value add.
But most importantly, it could just be something different (that fails or doesn't fail, who knows). I don't think the web3 space NEEDS to eschew legal recourse because 1) that's not the only supposedly value add and 2) because it doesn't NEED to provide any value add for that matter. Perhaps web3 can just be the Pepsi the web2's Coca Cola. Only time will tell.
That may be the premise, but has that actually be held up and recognized as such in courts in major countries? Like are there precedents regarding this?
At that point it's no longer a premise (for those particular countries), but until then it's just a supposition.
I think courts are wary to wade deeply into a new financial system like this but at the same time I find it hard to believe that the judiciary and the legislature would rule (in the long run) that they have no ability to "make things right".
If crypto grows as as many people suggest and you have some significant percentage of the country that has savings or investments tied to these smart contracts, if there is a loophole like in this case, you'd have lots of people writing their local or national representative about this. I find it hard to believe that politicians would tell the people they represent "tough luck code is law".
> be held up and recognized as such in courts in major countries?
Only having a slight understanding of crypto, if local courts are required, what's the point of crypto? Why not use the existing financial systems, where all of this is built in?
> [a crypto bro] criticized the team for turning to a centralized institution like the courts for help
But that's exactly the flaw of smart contracts, and why its promises will never work.
The hard part of contracts was never execution. The hard part was always conflict resolution and abidance by fair rules (i.e. "laws"). The hard part is what creates the overhead.
Smart contracts never solved the hard part. They remove the solution to the hard part, claiming the hard part is not needed at all. But the problems these solutions solve are the hard part. Pretending they don't exist is not "solving" anything.
There are so many examples of this. A minor can't enter into a contract. Severely mentally disabled can't either. Someone with a gun to their head can't either. It doesn't matter if they enter into a million dollar contract. That contract is invalid.
Eventually there will be smart contracts with assigned arbitrators capable of undoing dependent smart contract transactions, with the right to execute granted by a separate smart contract, which is controlled by a vote to be taken by a randomly selected set of peers in the community, who must first watch in total a video of the aggrieved and offending parties position their argument.
And arbitration contracts that can arbitrate the arbitration contracts, and so on.
And perhaps a smart contract to allow the amendment of existing contract, by vote of a group of wallets who’ve been elected by another smart contract, who’ve been elected by another smart contract with a larger pool of voters, and so on, until all stakeholders in the contract have had the chance to cast a vote, whose duration as a voter is limited to a 2-4 year term, before requiring another voting round.
Maybe. But you still need an override from real courts, when the contracts fail.
That's what courts are for. When someone finds an exploit in the smart contract there must be a "no that's clearly not what anyone meant. Nobody actually wanted all the money in the world to go to Hacker McHackerface".
If your assumption is that one of these contract layers is "perfect", then it's not realistic.
Thats why you have the arbitration contract… to allow an arbiter to undo the work, with the reasoning “this isn’t what was intended”
But anyways that was in jest; the crypto community will eventually recreate the same systems and bureaucracies already in play today as they run into all the edge cases that occur with traditional currency (fundamentally: currency carries provenance and is only fungible until its not, and the transfer of funds between two parties does not actually involve only the two parties — and lawyers write excessively defensive, excessively long contracts for a reason).
Crytocurrencies != smart contracts. The original premise of bitcoin was essentially to create a decentralized fiat currency. As its value grew the thesis then changed to equate more of a decentralized digital gold/inflation hedge that's easier to store and authenticate than actual gold.
So that's one use of crypto.
In the non Web3 world, we typically have to rely solely on the financial institution providing the service to make transactions. That is, we have to have a Paypal account to withdraw from Paypal. We can only buy/sell Robux on Roblox, etc. Smart contracts allow us to essentially utilize any provider we want without the provider having custody of the funds at any given time.
I can go to any dex I want and transact without depositing funds. The dex also cannot agree to perform a transaction and hold my funds hostage, like how Paypal screws over some of their merchants with their "internal investigations." I can also buy/sell coins that the dex mints (e.g. ORCA coin) anywhere I want. It's not tied to a single account nor is it tied to single exchange.
And that's without getting into NFTs, flash loans, LPs, and other features of Web3.
>In the world of smart contracts code is indeed law, but that doesn't change the fact that in the real world law is law
I think some confusion arises because that "smart contracts" only make sense if code really is law, in the sense that any transaction executed by the contract -- even unexpected, surprising transactions -- is considered to be fully consented to by all parties interacting with the contract.
I agree that that's a terrible idea - bugs can always exist, and having no recourse when millions of dollars are lost due to a coding error is a huge and unreasonable risk.
But otherwise -- if, ultimately, courts can force "smart contract" transactions to be unwound if they are found to be exploitative, unintended or otherwise invalid -- then what's the point of having smart contracts in the first place? What's the value proposition? Why not just use regular contracts?
The same argument could be made about an escrow account. Just because the account gets payed to one party by the third party doesn't mean that the second party couldn't sue the first for the money back. Assuming the third party made a mistake or (more in line with smart contracts) if the escrow was set up in a way were the pay out was just with relation to the escrow terms but wasn't in line with the contract terms between the 1st and 2nd party they'd be likely to get redress.
There's still a very real use for smart contracts in that you change what bad actors can do to act badly. Before they may have been able to breach a contract by ignoring invoices now they breach a contract by exploiting a smart contract loophole. Basically your shuffling the trust and risk around which can be a useful tool. i.e. it can be quite costly to enforce (and do due diligencece on) a contract with someone in another country so the cost and technical risk of setting up a smart contract may be much more preferable than the posisbility of having to legally enforce redress for breach in a regular contract.
This claim makes no sense.
In the real world, crimes have very specific definitions. Most are physical, in fact.
For example, robbery is when, with intent to commit theft, you take property by force.
Anything else is not robbery.
Theft by taking is: when a person unlawfully takes or, being in lawful possession thereof, unlawfully appropriates any property of another with the intention of depriving him of the property, regardless of the manner in which property is taken or appropriated.
(The above is georgia, robbery/theft/etc are state crimes so defintions vary a bit)
Again, it requires doing so unlawfully (or converting unlawfully).
If doing what this person did isn't unlawful in the real world, it's not theft, it's not robbery, it's not anything.
So you have to find a crime that actually matches what happened.
It's not wire fraud - that would require " false statement, promise, or misrepresentation in order obtain money or something of value from someone else."
etc
So what crime do you believe this actually is?
(So far i've only seen a civil lawsuit, and while there is a warrant for his arrest, that's for refusing to move the tokens to a neutral third party, or show up to court :P )
In addition to sounding like textbook embezzlement, I don't think there's any reason to believe that "theft" as define by that very broad Georgia definition couldn't apply here (the "unlawfully" is to exclude certain property appropriations explicitly permitted by law like bailiff seizures or deposit retentions from the definition, not to mean it's not theft if you keep someone's property against their will without breaking any other laws. I don't think it ceases to be "appropriation" of funds simply because you provide something worthless as an exchange either, particularly not with that last clause)
I will admit have avoided trying to follow the entire rabbit hole of details on this case. So feel free to point out where i've missed some facts.
From what i've seen I doubt it would be considered theft for the simple reason that the tokens that were bought/sold didn't belong to anyone else in particular who you could say it was appropriated from. He also paid for all of it, and paid the fair value at the time.
In fact, he paid very high prices for the initial tokens (860 times initial value at one point).
Then gave away a bunch of tokens.
Then waited for an algorithm to do something dumb around the pricing, and then swapped the tokens.
Who exactly did he appropriate property from here?
He paid for all of it, and paid the prices the market demanded. The algorithm did something dumb, but that is no different than some trading bot algorithm doing something dumb and selling for less than it should, which happens all the time.
As for embezzlement, it requires a trust relationship - it's a violation of a fiduciary duty.
I don't think he had one?
So far, i've not seen any criminal charges here, only civil ones.
Certainly prosecutors are slower at this sort of thing, but i'll be interested to see what happens.
According to the linked article, he contributed code to the exploited contract (and was even paid for it!). That sounds like a trust relationship, and layers of obfuscation around swaps and "paying fair price" arent going to change the fact the intended net effect of the trades was that all the value in the contract was transferred to him. Big difference between a trading bot doing dumb stuff and trading bots using exploits a contractor engineered to cleverly transfer all the assets under management to himself.
Yeah, maybe embezzlement then, but still not theft.
Depends on what the exact relationship was - most companies go to amazing legal lengths to ensure that they disclaim any relationship between themselves and their contractors.
Which is not going to cut in their favor.
There have also been plenty of instances of folks much closer to having relationships + knowledge and not being found to be illegal (though rarely there has been civil liability). IE financial advisors exploiting inside knowledge of their clients portfolios + what their companies are up to to make trades that advantage their companies at the expense of their clients.
As for the rest - the intended net effect of almost all trades in finance is to cleverly transfer the value of everything you can to yourself ;). The only question is whether he had a relationship that makes that illegal or not.
Respectfully disagree. I think I've seen several times the belief(from crypto supporters) that the code is the code is the code, and these are the rules that we play with.
The "laws of physics" analogy doesn't match up. I feel like it would be more appropriate in an anarchist society (physics are the only laws, thus everything that obeys physics is game).
This feels more like discovering an exploit in a video game. It's up to the devs to patch it, or tournaments to outlaw, but if you find something out, you can use it. We agree to play by the rules, but if someone comes up with something last minute, they can win.
Just because there are crypto anarchists doesn't mean that all crypto proponents are anarchists. And smart contracts (not sure why they're in quotes in your comment) can depend on real law and still operate fine (e.g. I'm sure NBA Topshot would file a legal case again Dapper Labs if they did something significantly damaging to their brand/NFTs, etc.).
> Just because there are crypto anarchists doesn't mean that all crypto proponents are anarchists.
That's obvious correct but what's the point? The whole discussion here is that there exists these "crypto anarchists" and their ideal world seems ridiculous to at least a couple people here...
That's not how the law works though, at least not in any country I know of. If you exploit flaws in computer code to steal something of real-world value, that's a crime.
We're all bound to the laws of physics, just as in the world of smart contracts all are bound to the laws of code. But none of that changes the existence of the laws of men.
(Replying to this one, but the sibling comment feels similar in vein).
- I'm not really saying the crypto-side argument is right, really just trying to clarify my perception of what they're saying re: the comment above me.
- The physics thing is really just a comment re: when it's hypocrisy and when it's not.
- FWIW, theft in crypto isn't super well-defined to me re: the laws of men either. Maybe someone who knows current law better than me can explain, but calling a function in a contract that sends updates from one pseudonymous address to another... I don't actually know if current written definitions of theft covers that, or needs some court to interpret it as theft. We kind of understand it as people, but I honestly don't know if "laws of men" as written, do.
Under common law jurisdictions (and as I understand it in the US too), "intent" of the accused is an important element of the crime. The definition is broad enough to cover crypto theft, but it might require the court to interpret whether the alleged actions were done with "dishonest intent" etc.. which can be a rather subjective thing.
Higher courts, due to their inherent ability to set precedents, usually also consider broader policy concerns eg. whether the decision makes sense from enforcement perspective, how the ecosystem might be affected etc..
If you do a promotion for giving away free food, and your smart contract accidentally allows someone to get a free sandwich every minute instead of once a day, is it so obvious that someone using your promotion more than once a day is "stealing"?
Ever use a different email address to sign up for a different free trial, say? Let alone people sharing Netflix accounts... where do you draw the line around "stealing" here?
Actually, we are only bound to the laws of physics within the limits of our understanding. As our understanding grows, those laws become less and less restrictive. I think it's an interesting analogy or parallel for the case we are discussing.
I would argue that this wasn't really a code flaw. They made a synthetic asset that calculated its price in a dumb way. That happens plenty often without code, and gets exploited by savvy buyers without code.
The crypto community does seem inclined towards a law of the jungle approach. It's amusing but unsurprising that the wannabe Shere Khans go running to the legal system when they learn they're actually prey.
I think the problem is, if you put a sign saying "Feel free to break in, I dare you, if you manage to get in the house then you're free to take anything you want!" then you can't later complain when someone does exactly that.
(Well, maybe you can still complain, IANAL, but it gets a lot murkier.)
This comes down to the intent, doesn't it? It would be different if you had no sign but on the door that opened if someone pushed it because it was badly designed.
People on HN argue this with openly accessible APIs fairly regularly "ah but the machine let me do it, they must be OK with it" and I think that goes down badly in court.
That might be useful in a civil case, but I don't see how it would apply to a criminal case. "If you do X, it is not considered fraud" isn't going to legally bind the criminal justice system in any way.
In the real world law is law, but I think it's still not entirely clear whether smart contracts can be considered legal contracts and how to judge if any particular smart contract is one.
If this smart contract is considered a legally binding contract, then, yes, this would likely be illegal despite the proverbial "letter" of the smart contract not being broken. If it isn't, then it may not necessarily be illegal (but possibly still could be).
I think legally speaking you’re correct, they would need to pass some sort of law or ruling saying that smart contract code can not be ruled incorrect/fraudulent/negligent etc. which nobody is going to pass, so a judge will just laugh at the idea that crypto is above the law.
A smart contract is a piece of code running on a public permissionless blockchain. The developers who deployed that code do not own it. Medjedovic had as much the right to take money out of the smart contract using the contract's logic as Kellar and Day.
Being blockchain developers, Kellar and Day know these facts very well, but they persist in their hypocrisy because it is in their financial interest to do so. They are betting on a non-technical jury being convinced by a good lawyer that Medjedovic "hacked them" or "stole their funds" (which is not at all what happened here).
Probably? A priori there is nothing wrong with someone who owns a large amount of a certain asset transferring it into a liquidity pool in exchange for a different asset.
It gets more murky if a founder explicitly lies to investors in order to get them to buy their token. Fraudulent misrepresentation is problematic in most jurisdictions, but this has nothing to do with the mechanics of the "rugpull" itself.
Here's a recent case where the SEC litigated misappropriation of funds among other things:
"According to the SEC's complaint, the defendants misappropriated nearly $4 million of investor funds. The SEC also alleges that Chiang and Tippetts misused additional Sharenode investor funds by spending at least 133 bitcoin to list NSG tokens on an unregistered trading platform and to fund a team of captive traders to trade NSG tokens amongst themselves to create the false appearance of a robust market with increasing prices. These traders allegedly created the false impression that more than $2.5 million worth of NSGs were traded daily on BitForex during the first 60 days and that the price of NSGs was steadily increasing due to investor demand. According to the complaint, however, the manipulation scheme collapsed when investors tried to sell their NSG tokens, because there were no actual buyers, causing the token's trading price and volume to fall precipitously."
This isnt exactly a classic "rugpull", but it does make it fairly clear that you cant just take customer funds and use them however you'd like just because its a cryptotoken and you have access to the smart contracts controlling it. You really shouldnt use customer funds in furtherance of additional frauds, like these people did here.
That doesn't really turn on any crypto-related concepts at all, but rather false/deceptive disclosures about the security itself. That actually would be equally illegal to do with regular securities too - you don't fuck around with disclosure documents, that's an absurdly easy way to go straight to jail.
> These traders allegedly created the false impression that more than $2.5 million worth of NSGs were traded daily on BitForex during the first 60 days and that the price of NSGs was steadily increasing due to investor demand. According to the complaint, however, the manipulation scheme collapsed when investors tried to sell their NSG tokens, because there were no actual buyers, causing the token's trading price and volume to fall precipitously."
This is also the fund owners doing something nefarious - that doesn't mean that somebody else executing a transaction according to the contract and the market could be held accountable because the fund's customers lost money. Someone has to be on the other end of every transaction, that is how a market works.
Rugpulls, as in projects attracting funds and then absconding with them, are different from exploits in that they involve outright lies / deception. There's a (moral, at least) difference between bad intent and honest incompetence. The attacker didn't ask anyone to contribute the funds that he appropriated.
But if we're talking about bad intent, then we could easily argue that Medjedovic (the hacker) acted with bad intent in this case. It goes both ways. If code is law, then hacks would be legal but so would rugpulls. If code is still ruled by law, then rugpulls and hacks can be judged by things like intention.
That dichotomy doesn't exist, because everything is ruled by law. But the courts look at the entire situation as well, and you'll find that having actively lied to people or not does make a difference in fraud cases.
> With this worldview, if the attacker simply exploited poorly-written code to find a loophole, how do the owners of Index have a leg to stand on?
They don’t. They simply have to accept it as a bug bounty successfully collected and paid out, and treat it as a learning experience and evolutionary process. Do better next time, if there is a next time.
Good luck making that argument in court. Intent is key, and if this is not the intent of the "smart" (lol) contract, "finder's keeper's" is not a legal defense. The legal system doesn't care about your blockchain arguments.
A smart contract deployed on a public permissionless blockchain is not owned by anyone. Only the contract's logic determines how one can interact with it. This is a fact.
It doesn't matter who can make the best argument in court. A good enough lawyer can convince a stupid enough jury of pretty much anything.
Let's say that I place a vending machine in a public space, such as a street or a park. The public is able to interact with it by inserting FIAT coins to purchase DRNK. Someone clever figures out a way to interact with the vending machine to extract DRNK at less than it's intended FIAT price. Two questions at this point:
(a) Is this a theft from the person who placed the vending machine? Why or why not?
(b) How is this different from a smart contract on a blockchain?
That sort of depends on what the exploit is, right?
For example, if DRNK costs $1 per unit, but I find out that by putting in $1.25 I get 2 units, have I actually exploited the machine? Is it not reasonable to assume that discount was intended?
Now, of course, if I'm prying open the machine with a prybar then we could argue that's just theft. But, putting money in the machine and getting units out is the intended interaction.
Similar to how if a gas station accidentally puts the price of gas at $0.20 per gallon, even though everyone knows that's probably a mistake, it isn't on them for taking advantage of the artificially low price.
So, that's what I'd say the difference is. A smart contract defines all the interactions that are valid. Thus, it is impossible to interact with a smart contract in a way that is "invalid" or "stealing". That'd be different if the user could modify the contract (apply a prybar) however, that's sort of the point, that you can't modify the contract to fix it.
If the contract said "all your deposited crypto goes to cogman10" would we call that a theft when someone put their crypto into that contract? Perhaps if I misrepresented the contract, but then the whole point of these contracts is they are visible to anyone that wants to read/use them.
> For example, if DRNK costs $1 per unit, but I find out that by putting in $1.25 I get 2 units, have I actually exploited the machine? Is it not reasonable to assume that discount was intended?
What if you remove the last part? What if you know, clearly, that your interaction what not what the designer wanted?
> So, that's what I'd say the difference is. A smart contract defines all the interactions that are valid.
Implementations are not specifications. What do you mean by "valid"?
> What if you know, clearly, that your interaction what not what the designer wanted?
Well, then they should have designed a better vending machine, shouldn't they? It may be unethical but I certainly wouldn't call it illegal. Again, back to the gas analogy, I don't think someone pumping gas at $0.20 is breaking the law even though that's clearly not the intent.
> What do you mean by "valid"?
None of the interactions for this attack were using the system in a way it wasn't meant to be used. It wasn't exploiting code. It was buying and selling assets in a way that enriched the attacker. That is a valid interaction.
Also, the whole point of these contracts IS that the code is the specification. That's the whole point of crypto in general. Trust nobody and let the blockchain determine truth.
> What if you know, clearly, that your interaction what not what the designer wanted?
This is what I like to refer to as “stupid tax”.
I’ve had cases where I put money into a soda machine and it gave me a drink plus more than I deposited into it. Or kicked out more than one item because one was stuck and my purchase obviously unstuck it.
Does this make me a criminal?
As an aside I used to work at a place with a soda machine that was basically like a slot machine with slightly higher payouts than one in Los Vegas. This was at a grocery warehouse and the drinks were at cost so “losing” your bet cost like a quarter. Probably designed that way, who knows?
And what if the vending machine measures coins by weight, and you so happen to have a "coin" that is just a properly-weighted blank. You're still interacting with the vending machine as technically intended. But by not inserting the correct amount of money, you are not interacting with it as intended by the creators.
The smart contract implements a technical intent, just like the vending machine. But that technical intent will always have limitations. Some exploits are non-destructive, such as properly-weighted blanks. Some are destructive, such as crowbars. But let's not pretend that they aren't, in fact, exploits.
That'd make sense IF this attack was one that was along the lines of "Hey, I did an injection attack on the contract which caused it to do something bad".
However, that's not what happened in this attack. This attack was far more akin to the "getting 2 units for $1.25" that I described. In fact, that's exactly what it was at the root of it. At no point did the attacker actually exploit code.
The technical and explicit intent was followed to a T here. The attacker got a loan (perfectly within the intent) bought a bunch of the index (again, within the intent) sold a bunch of a underlying stock of the index (Again, within intent), sold the index, and sold the loan. Nowhere in this process was there a "this violates the essence of the contract".
And, let's be frank here, it's not like the attacker didn't open themselves to a huge liability. Anyone that saw this attack in progress could have bought sushi coin or UCI and ultimately drained away the income this attacker was earning, potentially putting them on the hook for a pretty massive loan.
Now, would such a scheme be legal if this were actual securities and not crypto? Nope, because we put more protection around real securities in the US and other countries. However, crypto went out of it's way to make itself above the law and outside of securitifaction. That, in fact, was the entire point of crytpo, to be something governments COULDN'T regulate.
The article makes it very clear where things were exploited. Especially the circumnavigation of the new token limit seems pretty relevant to the discussion of whether this was playing within the intent.
If he’d wanted, Medjedovic could now have traded $3,200 worth of Sushi for DEFI5 tokens worth $1,172,000. And had he simply done that, Indexed would have been fine. The protocol places limits on the amount of a new token that users can swap into the pool, so he would have been able to extract only about 1.5% of the pool’s value—which, given transaction fees, wouldn’t have been profitable for him.
Instead, Medjedovic’s script took out another flash loan consisting of $2.4 million worth of Sushi tokens. And rather than swapping them into the pool, it gifted them to it—a seemingly irrational move that Indexed’s algorithm wasn’t designed to handle. The “donation” overwhelmed the pool and circumvented its usual trade limit for new tokens. This allowed Medjedovic’s program to freely trade overvalued Sushi for undervalued DEFI5 tokens, then cash those out for the pool’s underlying assets, pay back the loans, and keep the rest, now worth $11.9 million. The attack on the CC10 pool brought the total haul to $16 million.
> A smart contract defines all the interactions that are valid.
A smart contract defines all the interactions. Whether they are legally valid is another matter. In contract law, usually the intentions of the parties (at the moment of agreeing to the contract) are taken into consideration. In most other cases, the legal system has rules to determine the validity. The customary practices of the crypto ecosystem is something they might take into account, but it's not necessarily a final outcome.
I'll try to steelman the code-is-law argument (not really sure how I feel about it myself):
In the case of the smart contract, you don't own the vending machine. It doesn't have an owner, it just "is". If it did have an owner, that person is probably violating all sorts of securities laws in countless jurisdictions. That's at least part of the point of all this smart contract stuff.
To make the analogy a little more apt, let's say the smart autonomous vending machine 1) lets people buy DRNKs by inserting money, 2) incentivizes people to refill it with DRNK by spitting out money, 3) once a month spits out money to the amused landlord, and 4) was deposited by aliens who disappeared without trace.
Presumably the smart vending machine would continue on its merry way like this until it either broke down or someone figured out a way to jimmy the lock. Looks like the later happened. Though everyone is upset, it's not clear who has the right to prosecute.
> If did have an owner, that person is probably violating all sorts of securities laws in countless jurisdictions.
That's probably what upsets me most about this story. These developers want to have it both ways: it is decentralized finance and nobody owns the contract as long as we are making money, but we want all the laws and regulations of traditional finance to protect us if things don't go our way.
I am saying this as someone who is pro-crypto. There are trade-offs to this technology. We need to pick a lane be prepared to deal with the consequences.
Frankly, I don't think it's up to you to pick a lane. It's the wild-west at the moment because the technology is new. But it won't be long before the law catches up and crypto will be subject to it the same as everything else.
Publishing a piece of code on a public blockchain cannot be made illegal. The Court of Appeal already ruled that code is speech making this a first amendment issue [1].
Decentralized finance is here to stay as an alternative to the traditional system. Some things are just impossible to regulate.
Perhaps not in the US (but many countries have no such constitution), but redeeming said tokens for fiat currency could still be made illegal, which would dramatically reduce the usefulness of such a a system.
The "laws and regulations of traditional finance" also protect them if things "go their way". They're not trying to "have it both ways", the law protects everyone in all scenarios.
In practice, the law would protect them if they were the owners of the exchange. But here the "exchange" is just a public piece of code that all participants agree to interact with. I can't even begin to imagine the legal hoops they would have to go through to run a centralized regulated exchange.
Imagine in your example the vending machine has a variable pricing and lowers its price if nobody purchases soda. Is it theft to wait longer than the designers thought people would wait and purchase the DRNK at price lower than the machine owner thought they would.
I think a better example is a claw gambling machine. You pay Fiat for a chance to grab fiat out of a pool.
If you come up with a strategy whereby you can grab more or all of the Fiat in a way that the game/machine designer and other players did not anticipate, is that theft?
Alternatively, people are playing a modified version of Poker with rules they don't understand, and someone understands the rules better and gets their money, is that a crime?
I mean, all these smart contract people basically advertise this scenario as a feature not a bug.
Ianal and don't know how a court would see it, but the way smart contracts are advertised would probably give you a fighting chance to make this argument where in normal finance you would have no chance.
Can they make a strong case about what their intent was?
Do they have some legal agreement with the hacker that the judge can use to divine their intent and the hacker's violation of it beyond reasonable doubt?
Or might the hacker and his clever lawyers have an equally strong case that whatever the code allowed was the "true" intent, that the code is the ultimate arbiter of intent, regardless what Index might have said otherwise?
I kind of hope it does go to court, will be interesting to see what the opposing legal teams come up with.
The courts have found that a written description of the contract is legally binding even if the smart contract has a bug that allows things that were intended to be disallowed. Further the courts held the right to decide whether something was allowed or not allowed on their own judgement regardless of the smart contract, asserting the primacy of the law and jurisprudence over cryptonerd utopian fantasy.
I’ve long lost my references to the cases, I tried to Google around for a bit but didn’t turn it up. However I did find this analysis from Harvard law that says more or less the same thing, start with the section:
What is the “Final” Agreement Between the Parties?
"Code is law" is a dream that is not actualized. It's not actually law, it's just code. I'm pretty sure law enforcement will gladly prosecute for a lot of these "hacks".
Indeed it cannot be actualized, as it connects to the real world.
This is why things like "land registry on the blockchain" will never happen. When a court decides that a sale of a house was unlawful, then the blockchain is wrong and irrelevant.
Code isn't law. Law is system that ultimately sends people to your house and puts you in a locked house that you're not allowed to leave, and lets other people live in "your" house now.
In other words, "code is law" only if it complies within the existing framework of our laws. IMO, this still leaves a lot of room for creative applications of smart contracts.
Could be. But then any smart contract system needs to acknowledge this overarching law, and give it "super user access", if you will.
And these systems could exist. But they are not the systems that are being designed. They are in fact antithetical to the stated goals of all of these cryptocurrencies and smart contract systems.
What specific law was broken? In the US, generic "hacks" generally fall under the computer fraud and abuse act, which is notoriously vague about what qualifues as "authorized". Perhaps some other lawvis applicable. But I cannot think of any that are obviously on point. Nor can I think of a clear precedent that clarifies the issue.
Yes, but the I believe similar cases have appeared where the courts have found against the objectivity of smart contracts. I think, ultimately, the point of regulating the financial markets is not to protect investors, but to protect the economy. And if a smart contract undermines the security of our financial system, then that smart contract may simply be illegal.
Until this pans out in an actual court this is basically a strongly worded vaguely threatening letter from a lawyer. If they actually had him dead to rights they wouldn’t be posting their legal theory publicly and asking pretty please give it back or else these other people we’re not at all affiliated with and have no control over (but don’t pay attention to that fact) might put you in jail.
Like high frequency trading players front-running trades, faking liquidity, manipulating prices, and changing infrastructure to benefit them to really screw people that want to buy or sell stocks? Never heard of anyone getting prosecuted by the legal system for that (besides for taking HFT code with them, but never for screwing a normal buyer or seller).
Edit:
It would be great if there was more moral in finance, but I think that's wishful thinking and doesn't really distinguish traditional finance or Defi. The only nice thing about Defi is that everyone can see what's going on in contrast to what happens when you do something in traditional finance.
He contravened their "intent" to make more (fiat) money through speculation, simply put. If they actually wanted to promote decentralization and openness, they would not be undermining trust in it and impeding its adoption by invoking the legal system at this stage. All they gain from suing over this is making things hard for the kid who did the trade, and a remote possibility of "recovering" some of their previous valuations in fiat.
Contracts are contracts and law is law. Law can overrule contracts. Smart contracts just let you have executable terms which allows greater composition and commoditization.
Am I missing something or did Medjedovic simply use unforeseen actions in the implementation of the contract as arbitrage and did not have an agreement to not attempt such actions?
Do not see any 'unauthorised access' in that case i.e not the classic definition of 'computer hacking'. However if the case does end up progressing I do wonder what form a defense will take.
> But in the Ethereum smart contracts world isn't the whole premise that the code is the law? That we don't need any of these pesky courts or banks or auditors or anything: the code is the law, and the decentralized blockchain will enforce it.
It's like the people who invented smart contracts never heard of the incompleteness theorem.
As the article mentions, there is a difference between the utilitarian and the libertarian view of DeFi / smart contracts. In the utilitarian worldview, the legal system still exists to handle disputes / exploits, but in the absence of such legal disputes, smart contracts allow you to automatically execute contracts without needing human overhead to manually execute them.
They accidentally repaid their loan early, which was explicitly allowed in the contract. The hedge funds were under no obligation to pay them back, since the money was now rightfully theirs.
Yes, exactly. They sent the money to their creditors. Had they accidentally sent it to someone who they didn't owe money to, the courts would order the money to be returned.
Yeah like the other guy replied, they intended internally to send it to a wash fund but mistakenly (due to a UI glitch) paid the debt back to the lenders. Now that UI glitch was their fault too, so...the courts said, cry all you want.
And they're a gigantic bank, it's the original digital business, every banker knows a single arithmetic error is dangerous.
I agree that this case was obviously ruled on incorrectly. The institutions broke the law (stole) by not returning the money, and the judge wanted to give a hot take instead of a legitimate ruling. Not allowing someone to retrieve money or property which was clearly given to you by mistake is theft. The end.
> so called “tax havens” actually have a role to play in the world economy.
So does the mafia and the child slaves corporations like Nestlé profit from, they all have "a role to play in the world economy". But it's about the morals and ethics and the hypocrisy of western institutions that allow these loopholes for the super rich in order for them to protect their wealth from taxation.
I never hear "code is law" from defi protocols, their ToS, or really from anyone. It's only the detractors of Web3 who tout this false logic of "code is law" so I guess you're screwed.
Examples of code NOT being the law: Some defi protocols have made those affected by a hack/loophole whole again with their own funds. Some defi protocols explicitly exclude certain jurisdictions like the US from accessing their protocol. Surely if they all belived "code is law" they wouldn't give a fuck, right?
> Examples of code NOT being the law: Some defi protocols have made those affected by a hack/loophole whole again with their own funds.
That's a terrible example. If the code really weren't law, they'd reverse the transaction, or force the hacker to give back the money, like a court could.
Since the code is law they're stuck, and so just hand the victim some money out of their own pockets, to try and eliminate bad press and keep people's trust.
That's because the transaction isn't reversible/is hard to trace the funds. It's not that "code is law" in the sense that smart contracts are extralegal. They would and should have legal recourse if the person were caught.
And coins like USDC can blacklist addresses and comply with regulatory asks. It's hard to buy your argument that smart contracts are extralegal when there are operators that comply with legal authority.
In real finance, there is an understanding that technical loopholes can exist, since not every outcome can be foreseen when writing laws, but the legal system can frequently prosecute against a series of actions which are, individually, legal, but which together are taken in order to achieve something illegal.
That is, modern finance and the law also attempt to deal with intent.
But in the Ethereum smart contracts world isn't the whole premise that the code is the law? That we don't need any of these pesky courts or banks or auditors or anything: the code is the law, and the decentralized blockchain will enforce it.
With this worldview, if the attacker simply exploited poorly-written code to find a loophole, how do the owners of Index have a leg to stand on?