How to Sue The DAO Hacker

Could the individual or individuals behind yesterday's hacking of The DAO be criminally or civilly liable?

AccessTimeIconJun 17, 2016 at 9:28 p.m. UTC
Updated Mar 2, 2023 at 8:46 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Stephen D Palley is a lawyer in private practice in Washington, DC, where he focuses on construction, insurance and software development, including blockchain and smart contracts.

The opinions in this article are Palley’s alone, are not intended to be legal advice, and may not be shared by past, present or future clients or any firm with which he is associated.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • I woke this morning to the sound of dozens of message notifications in rapid succession. The DAO had been attacked. More than $50 million worth of ether had already been drained. At least one technical solution had already been proposed.

    Some people like it, some don't. In addition to the technical remedies, some have asked about legal remedies that might be available against The DAO hacker.

    Could they be criminally or civilly liable? Could they be sued? If so, how? And if so, by whom? Some thoughts on this topic follow, below.

    Criminal law

    State and federal criminal statutes are potentially at issue.

    There are plenty. One might start with something like theft and iterate. A variety of federal laws may also apply broadly to unauthorized access to computer systems or access that exceeds authorization. In addition to fines, penalties and imprisonment, criminal laws can also make whole remedies for injured parties, and provide damages for losses.

    Whether this is on the radar of law enforcement is a separate question. I am simply pointing out that, yes, criminal laws may have been broken.

    Are any potential defenses available to the hacker? Could they just give the ether back? As one commenter noted on Twitter, giving the ether back may be appreciated as an act of contrition or mitigation, but it doesn't necessarily serve as a defense to criminal liability.

    Others have suggested that the hacker can't be liable as they only did what the contract allowed. It's an interesting argument but, simply stated, code vulnerability doesn't equal consent.

    As a defense, it’s pretty weak tea. Theft is theft, off chain or on.

    Exploiting a known vulnerability in ATM card code doesn’t give you the right to take money that isn’t yours from a bank.

    Civil law

    Second, what about civil liability? Can the hacker be sued for damages or injunctive relief? Yes, they can be.

    That they may be anonymous or pseudonymonous isn't necessarily a problem at the outset. Whether they can ultimately be located behind the contract address may be something that is soon tested. But as a procedural matter, you don't necessarily have to know who or where someone is to sue them, necessarily.

    In the US, a John Doe defendant can be used in an initial complaint (depending on jurisdiction) and serve as a mechanism to start the process of trying to locate the hacker. With a suit on file, you do get subpoena power, among other things.

    Who might actually sue the plaintiff? Someone damaged by the theft could potentially sue on their own behalf. They might also be able to file on a class action basis as a representative of other token holders. The DAO or a DAO probably wouldn’t be the plaintiff.

    A suit by the DAO qua DAO would mean that the DAO had some sort of legal personalty and the ability to make decisions off chain, about litigation (and to hire a lawyer). It's unclear that "The DAO" could actually be a client. It’s code, right?

    A simpler (though admittedly imperfect) approach might be for private plaintiffs to sue as putative class representatives on behalf of all token holders similarly situated.

    Tort law

    What claims could be asserted against the attacker? There are many. From a tort law standpoint, conversion comes to mind.

    It's a tort remedy available when someone takes property that's not theirs.

    One wrinkle is that conversion may not be available for cash or currency: depending on the jurisdiction that remedy may only be available for tangible property. (Is ether tangible property? This may also depends on jurisdiction).

    Plenty of other tort theories are available though. Civil theft, fraud, trespass are a couple of other examples. Implied contract claims might be available too.

    Did the hacker breach an implied agreement, or an implied duty of good faith and fair dealing? Equitable claims such as unjust enrichment might also be available. Injunctive relief might be sought, too. These are just examples, and this isn't intended to be an exhaustive or exclusive analysis.

    What about damages? This requires some speculation. Loss of token value might be one measure of damages. Other damages theories might arise. For example, consider a case where if market manipulation was a motive.

    The attacker might have anticipated that a significant theft would cause the price of ether to decrease, and bet on the market accordingly. If so, disgorgement of ill-gotten gains might also be a potential remedy.

    Bottom line: If you think the hacker is a bad guy, legal and equitable remedies may well be available, and damages too.

    Law image via Shutterstock

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.