‘Code is Law’ is no Defense for Blackhat Hacking
In the wake of the intricate, multi-flashloan script that bankrupted DeFi investing platform Indexed Finance last year, the blockchain community is reckoning with the validity of the famous, yet poorly understood ethos that ‘code is law’. Before unpacking this dialectic pioneered over 20 years ago by American lawyer Lawrence Lessig, it’s vital to understand the attack vector allegedly scripted by 18-year-old Andean Medjedovic to drain Indexed.
At the root of the script that Medjedovic composed to score $16 million from Indexed was a $157 million flashloan. Flashloans are a form of unsecured peer-to-peer lending, meaning that borrowers don’t have to post collateral when taking out loans from DeFi platforms.
Instead, loan principal and interest must be repaid by the debtor within a single transaction, otherwise the lending protocol’s smart contract reverses the entire transaction. These instant, collateral-free loan products have become a popular way for DeFi traders to profit from price arbitrage opportunities in decentralized markets.
But over the last two years, crypto-quants like Medjedovic and others have also found novel ways to circumvent dApp lenders’ guardrails. In this case, attackers take advantage of weaknesses in lending dApps to create ‘slippage,’ which is the discrepancy between their borrowing contract and the real market value of the token loaned to them. In other cases, hackers more directly and straightforwardly pull funds out of smart contracts. Flashloans are just one of the many attack vectors that projects find themselves up against.
DeFi platforms can themselves go the way of Lehman’s (and Indexed’s) if the trade is large enough and coded adequately by the scripter. More broadly, flashloan attacks account for a significant percentage of more than $4 billion worth of losses attributable to lending dApp exploits over the last two years, according to crypto-forensics firm Elliptic.
Such is the broader context underlying the collapse of Indexed last year. Medjedovic’s script executed two flashloans to finance asset swaps, taking advantage of a complex mispricing flaw in Indexed’s smart contract that enabled him to profit handsomely from collapsing Uni, the protocol’s benchmark-pegging token. Questions surrounding the ethicality and legality of Medjedovic’s trade — and also other smart contract exploits — have sparked a debate in the DeFi community that has put Lessig’s seminal cyberspace philosophy of ‘code is law’ to the ultimate test.
The Indexed Debate
On one hand, Medjedovic’s multi-million-dollar score has been maligned by various legal plaintiffs as a hybrid fraud. A civil case filed by a Delaware-registered LLC representing the largest (and anonymous) owner of tokens alleges that the teen math prodigy’s payday was a byproduct of market manipulation and computer hacking. In a separate lawsuit filed by Indexed founders against Medjedovic, the plaintiffs’ attorney said that Medjedovic’s actions amounted to the same types of techniques a burglar would use when “disabling the security system at a bank.”
On the other hand, some members of Crypto Twitter have championed Medjedovic’s payday as a legitimate trade, given the ethos that ‘code is law’. Absent any legal statutes governing fair DeFi market conduct, all Medjedovic did was write an intricate script that exploited arbitrage opportunities. For his part, the teen trader told a Bloomberg journalist that none of his actions involved “getting access to a system he was not allowed access to.”
Medjedovic further noted that he did not steal anybody’s private keys; he merely “interacted with the smart contract according to its very own publicly available rules.” Additionally, Medjedovic highlighted to the news outlet that the people who lost tokens in the trade were similarly “seeking to use the smart contract to their advantage and taking on risky trading positions that they, apparently, did not fully understand.”
Now, Medjedovic has reportedly fled Canada to avoid the civil suits he is facing. Medjedovic is also refusing to return any of the crypto he obtained from the flashloan script.
Immunefi sought out opinions from two cyber and crypto legal experts for their take on Medjedovic’s case.
Cybersecurity lawyer Steve Snyder compared the Indexed hack to the original Ethereum DAO debacle, “where lots of people in the community took the position that if you put smart contracts out there that get exploited too bad take your lumps.”
Discussing the broader Web3 ecosystem in general, Snyder told Immunefi, “once you go to court you’ve pretty much conceded all the purported advantages of irreversible transactions are illusory.” But Douglas Park, a corporate and securities attorney who operates his own firm in San Francisco specializing in Web3 litigation, took a much more hawkish view on the Indexed hack.
Park told Immunefi that “Writing code or a script to take $16 million from Indexed Finance is a hack and pilfering of $16 million that is not his. ‘Code is law’ is not a defense to hacks or theft.” Park also cited numerous case precedents in Canadian and U.S. court that rejected the ‘code is law’ argument in court.
In the Li v. Barber case tried in 2022, Park noted that the Superior Court of Justice in Otario ruled that “digital funds are not immune from execution and seizure to satisfy a debt any more than a bank account provided the individual or institution which can access the funds are within the reach of a court order.”
Park also pointed to the Copytrack Pte Ltd. v Wall ruling of 2018. In this case the Superior Court of Justice in British Columbia granted an order that allowed the plaintiff “to trace and recover the tokens in whatsoever hands they may be held.” This remedy was in response to the defendant’s failure to return 530 ETH (worth about $495,000 CDN at the time) of plaintiff’s ETH that had accidentally been transferred to the defendant, said Park.
Meanwhile, in the Mark Shin v. ICON Foundation case of 2021 survived a ‘motion to dismiss’ the suit in the Northern District of California, noted Park. Shin discovered a bug in the ICON Network (ICX) dApp’s code after a software update. Shin used this bug to mint 14 million new ICX tokens, many of which he transferred to the cryptocurrency exchanges.
ICON froze the tokens. The judge’s denial of the motion to dismiss means that “novel questions of ownership rights of tokens can proceed in court,” said Park.
The issue now before the Canadian court system, assuming Medjedovic ever returns home, is determining whether his setting out to write code intended to torpedo Indexed’s benchmark token and broader repricing mechanism, in the furtherance of bankrupting the protocol for his enrichment, constitutes an act of market manipulation. The code-is-law dialectic is at the heart of this legal standoff.
We make no comment on whether Medjedovic’s script constitutes hacking or not; that’s for the courts to decide; although it’s very sensational and has opened up the debate about code is law, in most cases, it’s not so complex as debates around flashloans and slippage. In the vast majority of cases, attackers just directly exploit flawed code to drain smart contracts of user funds. Those types of scenarios are less ambiguous and seem straightforwardly illegal.
Is Code Law in Crypto?
In the introductory section of his famous essay, Lawrence Lessig wrote that in cyberspace, the “regulator is code — the software and hardware that make cyberspace as it is. This code, or architecture, sets the terms on which life in cyberspace is experienced.” Code “determines whether access to information is general or whether information is zoned,” Lessig wrote.
Lessig’s work has been viewed as the foundation of the ethos that ‘code is law’. Some have interpreted this ethos in the blockchain space to mean that code is its own law and no other law applies. In other words, according to this view, any interaction with a smart contract according to its own code must be legal, since the only relevant rules governing interaction with a program is the program code itself. If a user discovers an interaction with a smart contract that allows him to drain the protocol of funds, then such an action is perfectly permissible and legal, so goes the theory, since the smart contract allowed the user to perform that action.
But even a surface-based analysis shows this position to be deeply flawed and dangerous, both to projects and hackers.
Consider a similar case in the Web2 world. If a web app that makes calls to a database contains a vulnerability that allows a user to perform an SQL injection to pull up sensitive database records, is that legal or illegal? Could that user be prosecuted for extracting the entire database?
The answer, clearly, is yes. Because, as far as the courts are concerned, it doesn’t just matter what the code states. What matters, among other things, is a variety of factors, including intentionality, and how the app normally functions. Is it a part of the app’s normal function to allow you to export another user’s private DMs, for example? No. It’s an accidental bug, and the behavior is unintentional. The app never meant to allow you to access another person’s private data.
The consequences for this kind of hacking are jail and serious fines. The idea that ‘code is law’ as an ethos means that anyone can exploit unintended flaws in smart contracts to drain them of funds is wrong. ‘Code is law’ might mean other things, but it doesn’t and can’t justify hacking, both philosophically and from the perspective of the law.
Blackhats with quant and coding talents would be better served going the ethical route and using their unique skills to capture increasingly lucrative smart contract bug bounties. Whitehat hacker Satya0x recently scored a $10 million bug bounty for his critical find, paid in USDC.
What’s stopping you?