Ethereum is an impressive feat of engineering with unlimited potential. Supporters, and even neutral observers, believe that Ethereum’s decentralized network technology could displace the need for the centralized economic infrastructure (in less-modern times, this infrastructure was comprised of individuals known as “middlemen”) that currently dominates our everyday lives. Ethereum will benefit the individual consumer by taking some power away from the large corporations and financial institutions that currently control the existing infrastructure, and providing more power to individuals. However, cutting edge technology always raises significant, and often unforeseen, issues. As we have now seen, trying to build companies in an entirely different way to take advantage of this revolutionary technology involves substantial additional risks.
On Friday, June 17, 2016, The DAO (short for Decentralized Autonomous Organization), the first Ethereum-based decentralized venture fund, was attacked by an anonymous hacker (the “exploiter”). The exploiter was able to transfer over 3.6 million Ether [ETH], the currency that funds operations on the Ethereum network, into a vehicle controlled by the exploiter. The attack affected one-third of the total Ether in The DAO and over 4% of the entire Ether supply in the Ethereum network.
The timing of this attack was extremely unfortunate, as it comes at a time when Ethereum is making progress towards mainstream recognition. In May 2016, New York Governor Andrew M. Cuomo announced that the New York State Department of Financial Services had authorized Gemini Trust Company, LLC to offer Ether trading on its virtual currency exchange based in New York City. This move by Governor Cuomo immediately made Ether more accessible to people all over the world. It also provided Ethereum with increased legitimacy, as it meant that Ether trading would be subject to the oversight of New York banking regulators, which provides those who hold Ether through this exchange with additional regulatory protections. In the words of Governor Cuomo: "This action continues New York's long tradition of pioneering new innovations and emerging industries,”… “With robust regulatory oversight, we are maintaining our status at the forefront of this technological revolution and ensuring that users have a safe and secure experience."
Now, in the wake of this attack, the developers of The DAO, and others in the Ethereum community, are looking for a solution to remedy the impact of this attack, which may or may not include intervention into the source code of Ethereum. Such a potential solution has caused much controversy among Ethereum supporters and the non-Ethereum community as a whole.
Ethereum is a decentralized publishing platform featuring user-created digital contracts and a Turing-complete contract programming language. It provides a decentralized virtual machine that can execute peer-to-peer contracts using a virtual currency called “Ether.” In simple terms, this means that Ethereum has a complete computer language that exists in the exact same state on thousands of computers across the world. It allows computer code (termed “smart contracts”) to automatically perform the operations it has been programmed to perform. These operations include the storage and transfer of information and digital assets, such as virtual currency. Ethereum uses computers around the world to confirm the execution of those command codes. This decentralized computer technology is commonly known as a “blockchain.” Using cryptography, which uses math to confirm the legitimacy of the transactions, the computers across the world that are maintaining the Ethereum network agree on the current state of the information on the blockchain roughly every 15 seconds.
Smart contracts can even allow for computer code to create a business structure. One such business structure is a DAO, which is essentially an investment vehicle that allows for decentralized crowdfunding. Unlike a corporation, which is run by a Board of Directors, the DAO does not have a centralized governing body. Instead, the DAO is formed, exists and makes decisions based upon computer code.
The DAO (confusing name, I know) was the first Ethereum-based decentralized venture capital fund designed to allow participants to pool their funds, collectively vote as to whether to use The DAO’s funds to invest in Ethereum network projects looking for funding, and then reap the future returns of those investments. Unlike a traditional investment vehicle, which has centralized infrastructure and management, The DAO was created via a smart contract, and was intended to run without any centralized infrastructure or regulation.
Slock.it, a European based blockchain solutions company, created the DAO. Slock.it describes The DAO as “a new type of organization, best comparable to a digital company, but without an attached legal entity. Made from irrefutable computer code, it is operated entirely by its community, which backs its future growth by purchasing DAO tokens using ETH, the fuel of the Ethereum network.”
According to Slock.it, the goal of The DAO is, “[t]o blaze a new path in business organization for the betterment of its members, existing simultaneously nowhere and everywhere and operating solely with the steadfast iron will of immutable code. The goal of The DAO is to diligently use the ETH it controls to support projects that will 1) provide a return on investment or benefit to the DAO and its members, and 2) benefit the decentralized ecosystem as a whole.”
The DAO ascribes to a set of values that can greatly benefit and protect individual consumers: transparency, democracy, decentralization, voluntary participation, non-exclusion, privacy and the right to anonymity and non-aggression.
As per Slock.it, the financial support for The DAO “makes it the most advanced embodiment yet of an idea that has long captivated idealists: automatic companies that operate without managers or boards of directors, making them the purest form of shareholder governance”. The DAO launched on April 30, 2016, with a 28-day funding window.
IV. THE DAO ATTACK
On June 17, 2016, The DAO suffered a multi-million dollar attack by the anonymous exploiter. By exploiting a flaw in the source code of The DAO, the exploiter was able to successfully drain many times his/her ownership interest in The DAO, over 3.6 million Ether. This attack on The DAO proves that there is a lot of work to do in order to make Ethereum smart contracts as secure as possible, in order for Ethereum to be able to realize its potential.
Because of the injury to the victims of the attack and the ramifications of that attack, the Ethereum community has proposed several solutions to remedy the impact of the attack. The implications of these potential solutions have caused much debate and speculation in the community. Perhaps the most important issue raised by the efforts to remedy the injury caused by the attack is whether Ethereum can truly run entirely without human intervention and if there needs to be fail-safe human intervention, what standards and protocols will govern that.
V. ETHEREUM COMMUNITY RESPONSE TO THE DAO ATTACK
The debate about how/if to address The DAO attack has shed light on the ability of Ethereum to remedy theft. Because Ethereum is entirely based on computer code, in the event of a theft, such as The DAO attack, the developers who write computer code for the Ethereum network can intervene to re-write the Ethereum code to return the stolen Ether to its rightful owners. This intervention, which is known as a “hard fork,” can readily be implemented as long as miners running more than 50% of the computing power on the Ethereum network agree to it. This is a “hard” fork because once the new code is made available, each of the miners must choose whether to implement the new version of the code or stay with the existing version. The result, assuming that not all of the miners choose the same version of the code, is that there will actually be two Ethereum blockchains running for a period of time. However, in most cases, this circumstance will quickly resolve itself because the most popular choice will tend to be the most profitable one for the miners, and thus, they will all migrate to it.
Taking action that allows for the safe return of the stolen Ether would likely be a game- changer from fiat theft, and much more in line with current consumer protections regarding banking and the transfer of wealth virtually. It will both show the ability to right a wrong, and also expose the vulnerability of relying only upon computer code to resolve human interaction.
VI. ETHEREUM COMMUNITY OPPOSITION TO THE HARD FORK
There are some members of the Ethereum community who, despite the theft resulting from The DAO attack, believe that any intervention to remedy it violates the fundamental decentralization element of Ethereum. They argue that the code is the law and no one, under any circumstances, should change the core code of the blockchain. Other arguments against intervention include that alteration of the core code could lead to unexpected results that could threaten Ethereum itself and that intervention could establish dangerous precedents for dealing with flawed smart contracts. All of these concerns are legitimate and need to be explored openly within the Ethereum community.
VII. LEGAL CONSIDERATIONS
The Ethereum community must take the legal aspects of its decision into consideration prior to reaching a consensus, as whatever the community decides becomes precedent and legal consequences will undoubtedly follow. In recent years, US lawmakers and others around the world have recognized the increased acceptance of virtual currencies like Ether and implemented laws to regulate them. Once smart contracts become more common, and particularly because of the widespread publicity of The DAO attack, additional attempts to regulate blockchain transactions are sure to follow. However, even the existing laws are still in their infancy and those seeking to apply these laws will face many challenges.
The following are some of the legal issues faced by the victims of this attack. There are no clear cut answers and it is likely that new precedent will be created if any of the victims seek to remedy their injuries through litigation.
a. Was the attack illegal?
The exploiter did not (and could not) change any of The DAO’s code. Instead, the exploiter took advantage of a flaw in the code to divert Ether. Thus, there is a colorable argument that the exploiter’s actions were legal, as it was completely consistent with The DAO’s code. If such an argument were to prevail, then there would be no legal recourse against the person who exploited the vulnerability. Moreover, in that event, if a hard fork was implemented, the exploiter could actually have viable legal claims against those who implement it because they would be misappropriating the Ether that s/he obtained legally.
I tend to believe that even if The DAO’s code allowed the exploitation, a court would still likely find that the exploiter has illegally converted the property of the innocent victims here. What happened here is akin to a bank leaving its vault unlocked. Would any of us agree that a bank customer could walk in and take money from the vault that clearly belonged to others?
The Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (CFAA) provides for civil actions arising out of various cyber infractions. Pursuant to 18 U.S.C. § 1030(a)(4) “Whoever … knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”
If someone is not authorized to use a computer, they fall under this statute; and this includes a “hacker”. YourNetDating LLC v. Mitchell, 88 F. Supp. 2d 870 (N.D. Ill. 2000). A “protected computer” is defined as a computer “which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” A plaintiff claiming a loss aggregating at least $5,000 can receive monetary damages.
Here, the exploiter knowingly, and with intent, defrauded The DAO because s/he siphoned many times their actual holdings in The DAO of which belonged to other users. The DAO would be considered a “protected computer” because it is connected to the internet which allows it to be used in a manner that affects interstate or foreign commerce or communication of the United States.
The exploiter did not have authorization access to The DAO because s/he used hacking methods to exploit the bug. The exploiter may argue, however, that it was a bug not a hack which allowed the funds to be siphoned. Some courts have applied a "reasonable expectation" standard in that conduct is without authorization only if it is not “in line with the reasonable expectations” of the website owner and its users. EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). Based on this “reasonable expectation” standard, it’s very likely that The DAO and its users did not reasonably expect that the holdings would be siphoned by an exploiter because the funds were placed for projects and voting rights on those projects. Another standard is used to determine if the exploiter exceeded the authorized access, which is the reasoning that computer use is “without authorization” only if the use is not “in any way related to [its] intended function.” Id. at 582. Applying this standard, it is also very likely that this attack was not in any way related to The DAO’s intended function because the users expected to invest their funds and not have them siphoned away.
The term "exceeds authorized access" is defined by the CFAA to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). Here, if the exploiter if found to have authorization it is likely to have been exceeded because the exploiter was not entitled to obtain the holding or to alter the holding in The DAO.
The exploiter furthered the intended fraud because the funds were set to be deposited in his/her digital wallet. Lastly, the exploiter obtained something of value because there was over 3.6 million Ether removed which has a multi-million dollar market value. Therefore, the exploiter could face civil liability for draining The DAO of its holdings.
b. How do you make a decentralized entity a party to a lawsuit?
Even if a victim of The DAO attack wanted to file a lawsuit, there is no clear answer as to who s/he could sue. While lawsuits against fictitious entities, such as corporations, are permitted, those fictitious entities have legal significance and are subject to regulation. For example, a corporation has to be incorporated in a particular state and maintain many corporate formalities, such as having a board of directors. There is no analogy for a decentralized entity such as The DAO, which makes it difficult, if not impossible, to pinpoint who exactly controls the entity. Frankly, the real answer is that there is no central control other than computer code.
In US federal court, Federal Rule of Civil Procedure 4(a)(1) requires that a summons, the service of which is required to pursue a lawsuit, must identify the Court and the parties. Here, there is no way to identify The DAO in a way that has legal significance or to identify anyone with the authority to represent The DAO’s interest in a lawsuit. Even if there was a way to identify all of the individuals who hold an ownership interest in The DAO, those individuals, of whom there are undoubtedly thousands or even tens of thousands, are located all of the world. Imagine a circumstance where the only way to pursue a cause of action against a large corporation was to sue all of its shareholders. Obviously, no such lawsuit would be feasible.
c. Who besides the exploiter could be liable for the exploitation?
Clearly the person who exploited the vulnerability and misappropriated the Ether would be a likely target of litigation. However, no one has come forward to take responsibility for the attack. There was an open letter published on the internet from someone claiming to be the exploiter, claiming that s/he would seek legal protection to vindicate his/her claims if anyone interfered, but there is no way to use that to identify the exploiter.
Slock.it would seem to be the most culpable party from which to seek recompense, but at what cost? If Slock.it were sued, that would likely divide the Ethereum community. Many of those involved in Slock.it have been involved from the beginning and have been helpful to the Ethereum network, such that suing them for supposed misconduct would undoubtedly do damage to Ethereum. Further, as the litigation would likely take years to resolve, the cloud of uncertainty hanging over Ethereum would most likely stagnate development substantially.
Finally, there are those claiming that the Ethereum foundation, a non-profit entity located in Zug, Switzerland that consists of the developers of Ethereum and some of the greatest minds in the blockchain ecosystem, might be liable. I find it unlikely that the foundation would be liable, as that would be like suing Microsoft for a theft that occurred because of a defect in a software program that it did not write or distribute, just because it ran on Windows. Further, a lawsuit against the leaders of the Ethereum community would disrupt Ethereum development and likely crater the price of Ether. To the extent a judgment in such a litigation was denominated in Ether or the price of Ether at the time of the judgment, it could be generally worthless.
I began this article with my personal belief that the hard fork was a mistake and in favor of no human intervention. After looking at the current state of affairs, and the ramifications of potential litigation regarding The DAO attack, I am now of the belief that a hard fork should be proposed to the miners and that the majority of the miners should accept it. While such action has potentially dangerous ramifications, I think they pale in comparison to the risk that litigation divides and devastates the Ethereum community. If the hard fork is implemented and the exploiter believes s/he can seek relief from the US courts, my law firm would be happy to represent, on a pro bono basis, those that the exploiter chooses to sue.