Code Is Not (Always) Law
A French court recently determined that Code Is Law. Essentially. And the decision — somewhat ironically for an industry that usually accepts that exploits happen (and may even be a necessary step towards advancing protocol security) — has put DeFi in a bind.
This is an excerpt from The Node newsletter, a daily roundup of the most pivotal crypto news on CoinDesk and beyond.
In February, the Avalanche-based automated market maker Platypus Finance was breached, with the thieves making away with $8.5 million. As is now routine, the attackers were quickly identified and the stolen funds traced down.
What happened next is somewhat atypical, with the ultimate results possibly setting a troublesome precedent: Platypus’ operators and community decided to pursue legal action against brothers Mohammed and Benamar M. (last name redacted in court documents).
While not the first time blockchain thieves have been brought to court, the situation is something of an enigma considering that crypto, at least as initially conceived, is designed to operate outside the bounds of the law.
The Bitcoin blockchain doesn’t need a money transmitter license to function, it just needs to exist. Likewise, since the earliest days of the crypto industry, the goal has usually been to design systems that work for all — open, global, censor-resistant platforms do what they do whether used by a crook or a saint.
Key to this egalitarian standard has been the idea that the code is the code, and that is what matters most. Judges, regulators and politicians may try to set parameters around what types of financial services can be accessed and by whom, but in crypto, such restrictions cannot apply (except to the extent that centralized companies, like Coinbase, must implement KYC/AML procedures).
There is some debate whether Mohammed was being sincere when he argued in court that he was a “white hat” hacker, only looking to keep 10% of the proceeds for discovering a vulnerability in the code. He claimed he was an “ethical hacker” who took the “endangered funds” so the protocol would learn a lesson and plug its hole.
Likewise, there is an argument to be had whether Platypus acted rightly in seeking justice through the legal system. The victims certainly had a legal right to press charges, as any victim of a theft would. But if the system executes, it executes. And if the code is the law, then all users have to live with the fact that the code contained a vulnerability that was exploited.
Curiously, the French judge overseeing the case seemed to take that same view when dismissing the charges against the brothers. According to a Le Monde article, he compared the financial exploit of Platypus, which seemingly had an infinite money bug (accessible through a DeFi-native “flash loan”), to exploiting a vending machine to get extra bags of chips.
Many in DeFi are calling for Platypus to appeal the controversial decision by taking the matter to a higher court. Code may be code, but a theft is a theft, they argue, and restitution is justified. This seems to be a piece with the growing sense of maturity across the industry. A decade ago, it may have been OK to say crypto could self-regulate, that bad actors would be dealt with through the free market and that code reigns supreme.
Today, after countless DeFi hacks, the proliferation of crypto scams and the implosion of exchange like Mt. Gox, it seems downright irresponsible and naive to say the code is the code and that is that. Personally, I think crypto’s change of heart is for the better: If the industry is to grow, it needs to integrate with the world, and that means integrating with the law.
At the same time, I recognize that what makes crypto powerful is that these self–executing platforms are extra-judicial. Bitcoin wouldn’t be Bitcoin if it started sanctioning or KYCing users, for instance. The tech itself, as the code is written, is opinionated. Crypto has a bias towards anti-authoritarianism and equality before the code.
But crypto isn’t a monolith, and this is a complicated topic that is foundational to nearly everything that has been built in blockchain so far. CoinDesk reached out to a number of protocol founders and industry expert lawyers to get their take.