
DAOs, Hacks and the Law - ikeboy
https://medium.com/@Swarm/daos-hacks-and-the-law-eb6a33808e3e
======
darawk
As an investor in the DAO and believer in smart contracts and Ethereum, I
agree with this article.

I think we all got over-excited and took this way too fast. But I do think it
would be a mistake to be too rash in throwing out the entire concept because
of this one mistake. Will there be mistakes like this in the future?
Definitely. But it is my hope that the entire cryptocurrency community will be
chastened by this experience into taking things a little more slowly in the
future.

IMO those of us who invested in the DAO should lose our investment. We fucked
up and we deserve the loss, and if people see that real money was lost,
perhaps they will be more judicious in the future with their investment
decisions. I certainly will be.

But I don't think it makes sense to let the thief get away with the money
either. I know in some sense there is a philosophical problem that the 'code
is the contract' and the 'contract is the law' and therefore the code is the
law, for better or worse. But IMO allowing this to happen would just be
counter productive. There's no benefit to letting he (or she!) take the money
and run, and quite a bit of harm to the ecosystem and probably lots of people
who just held some ether and didn't invest in the DAO.

I'd like this event to be seen as a learning experience. People were
overzealous and they got burned. In the future, let's be more careful, but
let's keep exploring the possibilities of this technology.

~~~
mikeash
The reason to let the attackers get away with the money is that it would show
Ethereum is what they say it is: a secure way to execute smart contracts. If
you don't allow it to happen, then it's just another boring human organization
with a few powerful people calling the shots, and everyone who uses it as a
platform for smart contracts will wonder if theirs is the one that crosses the
invisible line and gets rolled back.

~~~
darawk
Except that it isn't powerful people calling the shots. It's powerful people
making suggestions, and then the shots being called by the network
participants. There is nothing happening here that is contrary to the ethos of
smart contracts or decentralized governance. If any sort of fork is accepted
it will be because a majority of miners thought it was a good idea, not
because Vitalik said so.

~~~
kalleboo
What does the mining situation look like for Eth? Is it like Bitcoin where
it's less than a dozen guys in China? Or is it more spread out.

~~~
jcoffland
Where did you get the idea that Bitcoin is mined by less than a dozen guys in
China. This is absolutely false. There are major miners in the US, Georgia and
elsewhere.

~~~
kalleboo
Around 70% of the hashrate is controlled by 5 Chinese-controlled mining pools.

------
stevecalifornia
"DAO, I closely read your contract and agreed to execute the clause where I
can withdraw eth repeatedly and only be charged for my initial withdraw.

Thank you for the $70 million. Let me know if you draw up any other contracts
I can participate in.

Regards, 0x304a554a310c7e546dfe434669c62820b7d83490"

~~~
will_brown
That is the legal argument the article presents, but it is wrong. Here is a
quick legal analysis:

Contracts that include illegal activities, such as theft, are unenforceable.
If the hacked funds get released the whole of the DAO would be legally
invalid.

In other words what stopped an investor from day 1 from suing the creators of
the DAO in court to get their investment back? Well the fact that there was a
contract in place and that contract/DAO had not been breached, meaning the
investor would lose such a lawsuit. The argument from the article is
suggesting even with the hack the same is true, because its part of the
contract; therefore, the contract/DAO hasn't been breached. That is where the
legal argument fails.

Try contracting for any other illegal activity and see how that works out
enforcing it in court. "Your Honor, I have a contract right here that says I
paid for the drugs but they weren't delivered." Just imagine, "Your Honor, the
contract/DAO says any member can create a child DAO and steal the funds from
the other investors/party to the contract...Judge they contracted to be stolen
from." I am predicting right now if any of those funds get released as a
result of this hack, there will be criminal charges, but it will just as
likely be against the creators of the DAO as the hacker. They are not shielded
from liability, civilly or criminally, because the victims agreed to be
victimized in a contract.

As a lawyer I have called the DAO snake oil[1] from the beginning, but mostly
because it sold itself as something new legally...which it is not (of course I
was downvoted). I suggested if you like the concept of a DAO, great, but start
your own that is true decentralization as it really isn't much more than an
Investment Club LLC. And more controversial I challenged the charade of the
smart contract, again not as a concept, because they do have value legally and
otherwise, but as what the DAO sold smart contracts as...a self enforcing
contract, that is bullshit any real world example anyone can give me I'll come
up with a real world way to breach it. 20 days ago I suggested the first DAO
proposal should create: a) a group of lawyers/coders to review all proposed
and funded contracts for approval; and b) an insurance company to insure both
approved proposed and funded DAO contracts in the instance of bugs/errors.[2]
If these hacked funds don't get released and that is not the first step
members of the DAO take after cleaning up the actual DAO framework, everyone
deserves the next hack.

[1]
[https://news.ycombinator.com/item?id=11707497](https://news.ycombinator.com/item?id=11707497)

[2]
[https://news.ycombinator.com/item?id=11789829](https://news.ycombinator.com/item?id=11789829)

~~~
vmarsy
How enforceable would be a classic contract that says in very fine print: "you
can put money in this account, but you are aware that this is a public
account, anyone opening the account using the _Recur Door_ can come and walk
out with your money. You understand the risks that someone might do this one
day"

(where the _Recur Door_ is defined as the mechanism that guy used for this
_hack_. Also,here instead of fine print it would be replaced by a line "you
fully understand this algorithm + source code" clause)

Would it be treated the same way we would treat a honest Ponzi scheme contract
? "You can get return on investment as long as someone else invests money
after you. If you happen to be the last, you're out of luck". Would such a
contract be legal?

~~~
will_brown
Not sure what an honest Ponzi scheme is, but obviously not only would a
contract for a Ponzi scheme be unenforceable, but Ponzi schemes are also
criminal.

I'll give real world examples that go both ways:

1\. Parking garage tickets: they include tiny little print saying the garage
won't be liable for lost or stolen items from your car. Generally if your car
is broken into those will be enforceable and the garage won't be liable.

2\. Sky diving contract: include tiny little print that says if I die as a
result of the companies negligence, they won't be liable and/or I waive my
right to sue. Unenforceable, you can't waive negligence. (think about a
skydiving school forgetting to pack a chute, someone dying, the family suing
and losing, because of a defense that the deceased waived out negligence in
the contract).

Lets look at a potential negligence claim against the creators of the DAO
code.

1\. By creating and soliciting investment for the DAO did its creators the
investors a duty? If yes go on;

2\. By creating code that allowed ~$40M of investors funds to be taken, was
their a breach of that duty? if yes, go on

3\. Did the substandard code result in damages to the investors? if yes go on

4\. Can the investors prove monetary loss? if yes, you have a good civil claim
for negligence against the creators of the DAO for the damages.

~~~
vmarsy
By a Honest Ponzi scheme I mean someone comes to you with a contract, and is
not trying to be deceptive, is not trying to lie, doesn't have misleading
marketing materials. He writes in Font size 36 : "This is a Ponzi scheme, it
works the following way : [...]. You agree with all the risks involved when
giving the money". This would work if this was Ponzi Scheme, or a Roulette
game actually[.].

When you sign, there is a notarial act, and a video of you shaking hand and
saying out loud that you understand this is a Ponzi scheme and you might end
up loosing all your money, there is also some drug tests performed to make
sure you are not under the influence of any drug, and some psychiatric
evaluation to make sure you are not disabled in any way.

[.] Another thought slightly off topic: can I sue a Las Vegas casino because I
put $100k on Red but the ball ended on Black and I lost everything? They even
facilitate drugging me with C2H6O!

~~~
sheepleherd
ponzi's are illegal, and not for being misleading, for having the financial
structure of a "pyramid scheme". "disclosing" the structure makes it easier to
prove that they fit what has been made illegal.

------
sbov
Is it just me, or would this going to court would be the worst case scenario
for Ethereum?

I mean, if the "hacker" wins, then it shows how impractically dangerous "code
as contract" can be - you better be damn sure it's correct.

And if the "hacker" loses, it invalidates code as contract completely. The DAO
claimed the code, and only the code matters. But what the DAO claims doesn't
mean shit if courts say that is not true. Your whole idea is now just
bullshit.

~~~
stevecalifornia
This contract, with this much money, needed NASA levels of QA.

I cannot think of many code projects that have a higher value-per-line-of-code
than this contract.

Sadly, it appears that not only was there not the needed QA but the leaders of
this project were alerted to the exact problem in code 5 days ago and they
responded by declaring that there was no risk.

The actual problem + the response makes this feel like amateur hour.

Now everyone involved understands why things that exist in 'old finance' like
contracts and IPOs are scrutinized by large, expensive auditors.

~~~
amaks
Exactly. DAO should have tested the shit out of their "contracts" before
starting accepting people's money. Now DAO and Ethereum as result won't have
any trust.

------
curiousgal
I believe people are looking at the wrong direction. Whoever did this already
made millions shorting Eth right before the "attack".

[https://mobile.twitter.com/EthereumWiki/status/7439059896828...](https://mobile.twitter.com/EthereumWiki/status/743905989682855936)

~~~
Bromskloss
Is the idea that people would lose faith in how practical smart contracts are,
or why would this affect Ethereum at large?

~~~
patio11
The Ethereum team is intimately involved with the DAO, one of whose goals is
demonstrating that Ethereum can be used for at least one useful purpose. To
say there is a lot riding on it is an understatement.

------
jacques_chester
I have to admit, I share some of the author's smugness.

The world is very, very complex.

That is why the law is very, very complex. It covers everything humans do,
have done, or will do. Alone, together, in small groups or large groups. As
private individuals or public bodies. With real objects or imaginary objects.
In their homes, on the street, in public buildings, in private parks. On the
ground, under the ground, on the water, under the water, in the air, in orbit,
out to the limits of human space.

Every day people come to the courts with potentially totally novel
combinations of people and events, and the courts _guarantee_ they will make a
decision.

The courts have been doing this for _nearly a thousand years_ and are still
chugging along solving new problems. This should indicate that this is not a
permanently solvable problem. The law is an adaptive, dynamic system.

All of this is why, as a software engineer who once studied (and mercifully
quit) law, I am sometimes bemused by the idea that bodies of law can be
ignored or swept away by code.

The law doesn't see it that way and in this game, the law gets the final move.

~~~
ars
> The courts have been doing this for nearly a thousand years

The courts have been doing this for over five thousand years! Since the
beginning of recorded human history.

And they have been doing it using basically the same legal ideas we use today
- only the details on what the laws are differ.

(Did you have a particular event in mind to say "nearly a thousand years"?)

~~~
schoen
> nearly a thousand years

I'd guess because it's the approximate age of the recorded English common law,
which is the main basis of the American legal tradition.

[https://en.wikipedia.org/wiki/English_law#Common_law](https://en.wikipedia.org/wiki/English_law#Common_law)

(not that that is the first court or legal system in human history)

------
abalone
This armchair legal theory is rather pleasantly eviscerated by Matt Levine
today on Bloomberg.[1] In short, you do not get immunity from real world
contract law with a one paragraph disclaimer.

[1] "Blockchain Company's Smart Contracts Were Dumb"
[http://www.bloomberg.com/view/articles/2016-06-17/blockchain...](http://www.bloomberg.com/view/articles/2016-06-17/blockchain-
company-s-smart-contracts-were-dumb)

~~~
appleflaxen
Aren't the blog post and the journalist both non-lawyers? How do you decide
who is right. They both make good points.

"eviscerated" seems a bit too strong, when two non-experts are arguing on the
internet regarding any topic.

~~~
w1ntermute
The journalist is a former lawyer and Wall Street banker[0]:

> [Levine] has worked as an investment banker at Goldman Sachs and a mergers
> and acquisitions lawyer at Wachtell, Lipton, Rosen & Katz. He spent a year
> clerking for the U.S. Court of Appeals for the Third Circuit and taught high
> school Latin. Levine has a bachelor's degree in classics from Harvard
> University and a law degree from Yale Law School. He lives in New York.

If you want to understand finance and law from the perspective of an expert in
both who also takes an interest in tech, I would highly recommend going back
and reading his articles[1]. He's a very prolific writer on Bloomberg View and
has previously written several articles on Bitcoin, Ethereum, the blockchain,
and related topics[2,3,4].

0:
[http://www.bloomberg.com/view/contributors/ARbTQlRLRjE/matth...](http://www.bloomberg.com/view/contributors/ARbTQlRLRjE/matthew-
s-levine)

1:
[http://www.bloomberg.com/view/contributors/ARbTQlRLRjE/matth...](http://www.bloomberg.com/view/contributors/ARbTQlRLRjE/matthew-
s-levine/articles)

2:
[https://www.bloomberg.com/view/articles/2016-05-17/blockchai...](https://www.bloomberg.com/view/articles/2016-05-17/blockchain-
company-wants-to-reinvent-companies)

3:
[https://www.bloomberg.com/view/articles/2016-05-23/bailout-f...](https://www.bloomberg.com/view/articles/2016-05-23/bailout-
fights-and-blockchain-ideas)

4:
[https://www.bloomberg.com/view/articles/2016-05-31/complianc...](https://www.bloomberg.com/view/articles/2016-05-31/compliance-
therapy-and-software-rules)

------
biot
DAO needs to be battle tested in EVE Online for a year before letting loose on
the real world where money is at stake. Much like ponzi schemes and other
exploits of the past, the EVE Online developers just consider it part of the
game. Caveat emptor.

~~~
simcop2387
That's a really interesting idea, using a virtual economy to field test
something like this. I was thinking about how you'd do that and actually
attract attackers by having some value, using something like EVE where people
are willing/wanting to do it anyway in game might work.

~~~
Analemma_
How would this work? If you discovered an attack, what would be the incentive
to not just sit on it until it was released to the real world?

~~~
wmf
In-game money (ISK) can buy influence in the social dynamics of EVE. There's
also a prisoner's dilemma aspect where someone else might independently
discover the same attack and use/disclose it before you get a chance to.

------
lpage
_Good_ lawyers don't write overly complicated contracts, and they don't speak
in legalese. The concepts covered within the contract might be complex, but
the writing itself is deliberately readable. Complex things are brittle.
Clear, well written contracts are more likely to be interpreted correctly by
all parties if something unforeseen happens. Contrast this to the alternative
- writing a contract by enumerating every possible outcome, hoping that you
don't miss one, knowing that if you do, every party will argue for the
interpretation that's most favorable to them. The adversarial aspect makes
things that much harder.

Contracts in something as flexible as Ethereum strikes me as the ultimate in
fragility. There's a great use case for anything that looks like a smallish
FSM - formal methods will yield something very usable and provably correct.
Being able to do that on a system with a state space the size of Ethereum +
The DAO - yea, we're a ways away from that one.

------
brianpgordon
> according to the DAO’s own legal contract

Why does it even matter what's on the DAO's website? They don't _control_ the
DAO, and you don't need to have gone through the DAO website to have invested
in the original offering or in the spot market afterwards. What legal force
would their website have anyway?

------
api
What would happen if the hacker went public, hired legal counsel, and asserted
their right to the funds as per the terms of the contract?

Now _that_ would be interesting. I could see a top legal team taking it simply
for the sake of an opportunity to set legal precedent.

~~~
mlvljr
For more awesomness, imagine, the hacker turns out to be Craig Wright :)

~~~
jcoffland
He's not nearly talented enough.

------
_bdog
An exam-question a german lawyer told me to illustrate how layman's
understanding of law and expectation of logic therein often doesn't apply:

"Your employer tells you to break into an opponent's office and steal
something. You do that, jump out of the window and break a leg. Is your
workplace insurance legally obliged to cover the medical cost?"

~~~
_98fj
(the answer is yes)

------
noonespecial
Sounds like a case of:

[https://en.wikipedia.org/wiki/Unjust_enrichment](https://en.wikipedia.org/wiki/Unjust_enrichment)

In regular law there's actually a way to say "that's not what I meant and you
_knew_ that's not what I meant". Prove it and the law is with you.

~~~
DannyBee
No, actually.

Unjust enrichment explicitly applies _only_ to the situation _where no actual
contract exists_.

~~~
noonespecial
Oh. I was thinking it might be like this part _" On this analysis, the
defendant is obliged to make restitution if there is no 'basis' for her
receipt: for example, because the contract under which the defendant received
the benefit was void ab initio."_

Obviously, i wouldn't offer a contract that lets someone take an unlimited
amount of money and only deduct the amount of the first transaction, and the
withdrawer clearly knew this. Not true?

~~~
DannyBee
Sadly, no.

First, it would not be void ab initio. Past that, your issue is that the
express terms of the contract appear to allow that, so you will lose
regardless of whether that _was a good idea_ for you to do :P

You could argue breach of good faith, etc, but not unjust enrichment. Like
restitution, unjust enrichment is a theory of implied contracts.

You can plead it and breach of express contract at the same time, but you can
only recover for one, and you _will not recover_ for unjust enrichment if the
court finds an express contract.

------
baby
Interestingly, this story has attracted numerous people to Ethereum. It was a
pricey advertising but it worked.

------
dang
Url changed from
[http://www.bloomberg.com/view/articles/2016-06-17/blockchain...](http://www.bloomberg.com/view/articles/2016-06-17/blockchain-
company-s-smart-contracts-were-dumb), which points to this, which is arguably
a dupe of
[https://news.ycombinator.com/item?id=11921900](https://news.ycombinator.com/item?id=11921900),
but if people want to discuss it separately we'll leave it up.

~~~
mikeyouse
For those looking to know more about how the DAO will actually interact with
the 'real world', I'd suggest reading the Bloomberg link too -- Matt Levine is
an excellent writer with a history on Wall St. as an M&A lawyer and an
I-Banker, so he definitely knows what he's talking about.

