Stephen D Palley is a lawyer in private practice in Washington, DC, where he focuses on construction, insurance and software development, including blockchain and smart contracts.
The opinions in this article are Palley’s alone, are not intended to be legal advice, and may not be shared by past, present or future clients or any firm with which he is associated.
I woke this morning to the sound of dozens of message notifications in rapid succession. The DAO had been attacked. More than $50 million worth of ether had already been drained. At least one technical solution had already been proposed.
Some people like it, some don't. In addition to the technical remedies, some have asked about legal remedies that might be available against The DAO hacker.
Could they be criminally or civilly liable? Could they be sued? If so, how? And if so, by whom? Some thoughts on this topic follow, below.
Criminal law
State and federal criminal statutes are potentially at issue.
There are plenty. One might start with something like theft and iterate. A variety of federal laws may also apply broadly to unauthorized access to computer systems or access that exceeds authorization. In addition to fines, penalties and imprisonment, criminal laws can also make whole remedies for injured parties, and provide damages for losses.
Whether this is on the radar of law enforcement is a separate question. I am simply pointing out that, yes, criminal laws may have been broken.
Are any potential defenses available to the hacker? Could they just give the ether back? As one commenter noted on Twitter, giving the ether back may be appreciated as an act of contrition or mitigation, but it doesn't necessarily serve as a defense to criminal liability.
Others have suggested that the hacker can't be liable as they only did what the contract allowed. It's an interesting argument but, simply stated, code vulnerability doesn't equal consent.
As a defense, it’s pretty weak tea. Theft is theft, off chain or on.
Exploiting a known vulnerability in ATM card code doesn’t give you the right to take money that isn’t yours from a bank.
Civil law
Second, what about civil liability? Can the hacker be sued for damages or injunctive relief? Yes, they can be.
That they may be anonymous or pseudonymonous isn't necessarily a problem at the outset. Whether they can ultimately be located behind the contract address may be something that is soon tested. But as a procedural matter, you don't necessarily have to know who or where someone is to sue them, necessarily.
In the US, a John Doe defendant can be used in an initial complaint (depending on jurisdiction) and serve as a mechanism to start the process of trying to locate the hacker. With a suit on file, you do get subpoena power, among other things.
Who might actually sue the plaintiff? Someone damaged by the theft could potentially sue on their own behalf. They might also be able to file on a class action basis as a representative of other token holders. The DAO or a DAO probably wouldn’t be the plaintiff.
A suit by the DAO qua DAO would mean that the DAO had some sort of legal personalty and the ability to make decisions off chain, about litigation (and to hire a lawyer). It's unclear that "The DAO" could actually be a client. It’s code, right?
A simpler (though admittedly imperfect) approach might be for private plaintiffs to sue as putative class representatives on behalf of all token holders similarly situated.
Tort law
What claims could be asserted against the attacker? There are many. From a tort law standpoint, conversion comes to mind.
It's a tort remedy available when someone takes property that's not theirs.
One wrinkle is that conversion may not be available for cash or currency: depending on the jurisdiction that remedy may only be available for tangible property. (Is ether tangible property? This may also depends on jurisdiction).
Plenty of other tort theories are available though. Civil theft, fraud, trespass are a couple of other examples. Implied contract claims might be available too.
Did the hacker breach an implied agreement, or an implied duty of good faith and fair dealing? Equitable claims such as unjust enrichment might also be available. Injunctive relief might be sought, too. These are just examples, and this isn't intended to be an exhaustive or exclusive analysis.
What about damages? This requires some speculation. Loss of token value might be one measure of damages. Other damages theories might arise. For example, consider a case where if market manipulation was a motive.
The attacker might have anticipated that a significant theft would cause the price of ether to decrease, and bet on the market accordingly. If so, disgorgement of ill-gotten gains might also be a potential remedy.
Bottom line: If you think the hacker is a bad guy, legal and equitable remedies may well be available, and damages too.
Law image via Shutterstock