A French court recently determined that Code Is Law. Essentially. And the decision — somewhat ironically for an industry that usually accepts that exploits happen (and may even be a necessary step towards advancing protocol security) — has put DeFi in a bind.
This is an excerpt from The Node newsletter, a daily roundup of the most pivotal crypto news on CoinDesk and beyond. You can subscribe to get the full newsletter here.
In February, the Avalanche-based automated market maker Platypus Finance was breached, with the thieves making away with $8.5 million. As is now routine, the attackers were quickly identified and the stolen funds traced down.
What happened next is somewhat atypical, with the ultimate results possibly setting a troublesome precedent: Platypus’ operators and community decided to pursue legal action against brothers Mohammed and Benamar M. (last name redacted in court documents).
While not the first time blockchain thieves have been brought to court, the situation is something of an enigma considering that crypto, at least as initially conceived, is designed to operate outside the bounds of the law.
The Bitcoin blockchain doesn’t need a money transmitter license to function, it just needs to exist. Likewise, since the earliest days of the crypto industry, the goal has usually been to design systems that work for all — open, global, censor-resistant platforms do what they do whether used by a crook or a saint.
See also: Calling a Hack an Exploit Minimizes Human Error | The Node
Key to this egalitarian standard has been the idea that the code is the code, and that is what matters most. Judges, regulators and politicians may try to set parameters around what types of financial services can be accessed and by whom, but in crypto, such restrictions cannot apply (except to the extent that centralized companies, like Coinbase, must implement KYC/AML procedures).
There is some debate whether Mohammed was being sincere when he argued in court that he was a “white hat” hacker, only looking to keep 10% of the proceeds for discovering a vulnerability in the code. He claimed he was an "ethical hacker" who took the "endangered funds" so the protocol would learn a lesson and plug its hole.
Likewise, there is an argument to be had whether Platypus acted rightly in seeking justice through the legal system. The victims certainly had a legal right to press charges, as any victim of a theft would. But if the system executes, it executes. And if the code is the law, then all users have to live with the fact that the code contained a vulnerability that was exploited.
Curiously, the French judge overseeing the case seemed to take that same view when dismissing the charges against the brothers. According to a Le Monde article, he compared the financial exploit of Platypus, which seemingly had an infinite money bug (accessible through a DeFi-native “flash loan”), to exploiting a vending machine to get extra bags of chips.
Many in DeFi are calling for Platypus to appeal the controversial decision by taking the matter to a higher court. Code may be code, but a theft is a theft, they argue, and restitution is justified. This seems to be a piece with the growing sense of maturity across the industry. A decade ago, it may have been OK to say crypto could self-regulate, that bad actors would be dealt with through the free market and that code reigns supreme.
Today, after countless DeFi hacks, the proliferation of crypto scams and the implosion of exchange like Mt. Gox, it seems downright irresponsible and naive to say the code is the code and that is that. Personally, I think crypto’s change of heart is for the better: If the industry is to grow, it needs to integrate with the world, and that means integrating with the law.
At the same time, I recognize that what makes crypto powerful is that these self–executing platforms are extra-judicial. Bitcoin wouldn’t be Bitcoin if it started sanctioning or KYCing users, for instance. The tech itself, as the code is written, is opinionated. Crypto has a bias towards anti-authoritarianism and equality before the code.
But crypto isn’t a monolith, and this is a complicated topic that is foundational to nearly everything that has been built in blockchain so far. CoinDesk reached out to a number of protocol founders and industry expert lawyers to get their take.
Neeraj Agrawal, head of communications at Coin Center:
Scott Lewis, creator of DeFiPulse, Slingshot and the Canto Network:
Austen Campbell, Columbia Business School professor and former BUSD portfolio manager at Paxos:
David Hoffman, co-founder of Bankless:
Christine Kim, Galaxy Digital vice president of research:
Gwart, gwart of gwart:
Jon Rice, former editor in chief of Blockworks, Cointelegraph, Crypto Briefing:
Conor Ryder, head of research at Ethena Labs:
Nathan Schneider, professor of media studies at University of Colorado Boulder, co-founder of the Metagov Project and creator of "exit to community" theory:
Cami Russo, co-founder of The Defiant:
Nelson Rosario, founder of Rosario Tech Law and professor of law at Chicago-Kent College of Law:
Maria Bustillos, Brick House co-founder:
Michelle Lai, Electric Coin Company board member and governance councillor and Synthetix:
Eva Beylin, director of the Graph Foundation:
Jared Grey, Sushi CEO:
Stephen Palley, litigation partner and co-chair of Brown Rudnick's Digital Commerce group:
General counsel for Alliance, Mike Wawszczak:
James McGirk, content lead at Spectral:
Jake Brukhman, founder of CoinFund:
Paul Dylan-Ennis, professor at the University of Dublin and CoinDesk columnist:
Brian Frye, professor of law at the University of Kentucky's J. David Rosenberg College of Law and conceptual artist:
Lex Sokolin, partner at Generative Ventures and CoinDesk columnist:
Krystal Scott, artist:
Odysseas.eth, of Phylax:
Miguel Morel, CEO of Arkham Research:
L0la L33tz, author:
Scott Fitsimones, creator of AirGarage:
Arthur Brietman, co-founder of Tezos:
The Blockchain Socialist:
Mike Demarais, co-founder of Rainbow wallet:
UPDATE (DEC. 8, 2023): Adds comments from professors Brian Frye and Nathan Schneider.