“Code is Law” is a principle that is being hotly debated in the international crypto community. The question is who is responsible in the case of improper use or exploitation of software that lies openly and can be used by anyone, but which leads to financial loss?
Mads Ribe is an associated partner and leads EY's focus on Digital Law & AI in Norway. Mads is a leading business lawyer specializing in new technologies such as blockchain, digital assets, and artificial intelligence. He has assisted key players in the Norwegian blockchain community, including growth companies and more established players.
Norwegian software companies in DeFi are going through an unpredictable time in the face of implementing MiCA, writes lawyer Mads Ribe in a new blog post. Themes have been brought up in connection with a French court decision, and as Mads Ribe comments on in this blog post.
Are certain forms of hacking equivalent to exploiting a slot machine to extract extra winnings? A French court just ruled on this.
In December, a French court dealt with a case that has created great controversy in the crypto community. The case was about two brothers who hacked Platypus Finance, a DeFi (decentralized finance) protocol. By exploiting a weakness in the code, the brothers were able to extract US$8.5 million. They defended themselves with the “Code is Law” principle, which dictates that exploiting a weakness in the code is not theft, but a lawful exploitation of the code to its advantage. They were approved for that.
“Code is Law” is a principle that is being hotly debated in the international crypto community. The term is related to the industry's many decentralized protocols, where anyone can use open software programs to perform various crypto transactions. One of the first and best known protocols is MakerDAO. Here, anyone can use their open source software/open software to take out loans and provide mortgage security in cryptocurrency. The program is made of a set of smart contracts, i.e. automatically coded actions (which are usually regulated in an agreement), which transfer, provide loans, pledge and unlock cryptocurrency depending on the user.
Although MakerDAO has created the program, they have rejected legal responsibility for using it. They justify it by the fact that it is located in the open and can be used by anyone. The question becomes who is responsible in case of improper use or exploitation of the software that leads to financial loss on the part of a user?
This is what the French brothers did by exploiting a weakness in the code of an open software. In such a context, the “Code is Law” principle implies that the code can be used freely, but at the user's risk. If there is a weakness in the code that can be exploited, users must accept this without being able to claim compensation from hackers. The code performs the actions that are possible and at the user's risk. The code is thus the central framework for the act and not other legislation — “code is law”.
Many people are against this, and believe all software and its exploitation does not operate in a vacuum outside regular legislation. Hacking is stealing and must therefore also be equated with stealing, both in criminal and tort law. This could mean that the developers of the code, even if it is open and usable by anyone, could be responsible for both weaknesses and usage.
The consideration of preventing misuse and protecting an unwitting user who does not necessarily understand the code and the risks of its use must therefore be weighed against the predictability of whoever has developed and made the code available for the benefit of the market.
The French court compared the exploitation of code in open software with the exploitation of a slot machine. The verdict is based on French “hacking law,” which apparently requires that the hacking involve a deceitful act. That was not the case here, because the brothers had used the software in a “legal” way without changing the code, fooling themselves with passwords or defrauding anyone in the truest sense of the word.
Critics of the ruling believe that the law did not fit the case, in that the code inherent in smart contracts is open, while hacking presupposes unauthorized entry. Nor can one deceive an openly available smart contract, as this is not or is apparently controlled or owned by a legal entity. An exploitation of the code would possibly involve violating the principle of loyalty in contractual relations, a civil law principle, which can provide damages under a contract between two parties. The Court held that in all cases it was not fraud in the criminal sense.
This is also the question in a case pending before English courts (Tulip Trading Limited v van der Laan and Others [2023] EWCA Civ 83). Here, alleged Bitcoin creator Craig S. Wright has sued software developers of various versions of the Bitcoin blockchain in England. The background is that Wright was stripped of his private keys to his digital wallet in a hacker attack involving Bitcoin worth over US$4 billion at the time the lawsuit was initiated (which is probably much higher now given recent developments in the Bitcoin price). Wrigth has sued developers of the Bitcoin blockchain with demands to change the source code so that Wrigth regains control of the private keys. None of the developers belong in England and the developers claim that the Bitcoin blockchain is decentralized without being based in one specific country. The case has nevertheless not been dismissed at the first hurdle as the Court of Appeal has found it realistic that English courts have jurisdiction. This issue now becomes the subject of oral proceedings during 2024 and will have major ripple effects for decentralized blockchains and digital assets if English courts claim jurisdiction and take the underlying issue for consideration. If Craig S. Wright wins the lawsuit, some argue that this could be the start of a collapse in the value of digital assets and especially Bitcoin.
Time will tell whether the French court's comparison to a slot machine holds and how Norwegian courts will deal with similar issues, which are undeniably forthcoming. Although the judgment was dealt with by a French court of first instance, which generally has low legal value for all other courts (including in France), it is possibly the first of its kind and stands as an example for how such cases can be handled also in the future.
Nevertheless, it is worth noting that the case has a criminal character and a civil law character. Even if there is no fraud, the issue is whether a smart contract, i.e. a deal executed by code, must relate to ordinary contract law principles. In this case, the intention behind the action could be important. At the same time, it is not always possible to identify a contractual counterparty in a smart contract and it can be difficult to define the jurisdiction in which the contract is executed when it is located openly in the “cloud”. The alternative, therefore, is that the code is considered to be “the law” in the sense that it is only the code, and how it can be used or abused, that matters for the judicial review.
Either way, the discussion will still rage in the global market for decentralized finance. It is not the last time courts in Europe meet with “Code is Law” argumentation when exploiting weaknesses in the code. One may therefore ask oneself whether decentralized finance is for everyone or only for those who fully understand the code and complexity that comes with it.
Kaupr's blog post is open for posts, analyses and debate in Norwegian, Danish or Swedish, and in some cases also in English. Send your article or idea to morten@kaupr.io.