> He did not steal anything. He beat the fund (Indexed Finance) at their own game.
As popular as this idea is online, it doesn’t work that way in the courts.
Intent matters in issues of the law. The “finders keepers” rules don’t apply in legal matters in the real world.
If someone logs into their bank and notices that changing the account number in the URL lets them withdraw from other people’s accounts, no court is going to shrug it off and say that it’s the bank’s fault for not being more secure. Likewise, finding a vulnerability in a smart contract doesn’t automatically give someone the right to any funds they collect from exploiting it.
We all know the “code is law” arguments about smart contracts are just marketing bluster. The lawyers do, too.
The intent of the whole underlying system is that the intent of all the parties be described by code of the smart contracts. Which are intended to be composable, intended to be used in unanticipated ways, and intended to operate independent of any human oversight. The system is also intended to avoid all ambiguity by enforcing the contracts exactly as described by the code... and to provide certainty of transactions and prevent them from being undone after the fact.
Everybody involved knows all of that, and claims it as a positive feature of the system. At least until they find out that it's actually hard to write bug-free code.
There may indeed not be a legal "meeting of minds" (although there very well also may)... but from an ethical point of view, everybody involved knowingly signed up for exactly that kind of risk. And honestly it would be good public policy if the law held them to it. Otherwise you get people trying to opt out of the regular legal system up until it's inconvenient.
There'd be more of a case if he'd exploited the underlying EVM implementation. But he didn't. He just relied on the "letter" of a contract, in an environment that everybody had sought out because of unambiguous to-the-letter enforcement.
Exactly this. If what is written on the blockchain is not the law in the context of anything involving blockchains and DeFi, then the whole idea of blockchains and decentralized finance is pointless.
You’re assigning a set of beliefs to an entity that doesn’t hold them. The authors of the code are pursuing the matter in court i.e. they see smart contracts as an efficient decentralised solution to a complex problem within the existing legal framework.
Nah, they just want to make money. They fucked up and now they're trying to get the legal system to save them.
> intended to be used in unanticipated ways
Am I an idiot or is it unclear why this is the intention?
I assume OP means it in the sense that the system intends novel uses that the designers didn't necessarily consider. Same with programming languages (or language in general), for example.
> If someone logs into their bank and notices that changing the account number in the URL lets them withdraw from other people’s accounts, no court is going to shrug it off and say that it’s the bank’s fault for not being more secure
When you open a bank account, there is an actual contract and regulatory framework that governs how you use the account. A URL parameter is an implementation detail that no more alters the contract than a broken lock on a vault would alter the contract.
But when you interact with a smart contract, the smart contract is the contract. What you are allowed to do is defined by what the smart contract lets you do. You don't need to open an account, agree to T&Cs or sign any other sort of contract to interact with the smart contract.
If the smart contract is not the contract, how would you propose we can determine what the real contract is?
> when you interact with a smart contract, the smart contract is the contract
This is one viewpoint but certainly not the only viewpoint and definitely not the viewpoint of the authors of the contracts in question.
Smart contracts are a novel method of executing contracts, but like all contracts the parties involved and the contract itself is subject to legal oversight in the relevant jurisdictions.
The big difference is that those are centralized systems owned by corporations, and accessing them in a way which you're not supposed to, such as by changing a bank account number or exploiting a zero day, is a crime.
With DeFi it's different; the code is public and decentralized. There was no unauthorized access to anything here. From my reading of what was done, it was essentially taking advantage of the poor trading strategy of Indexed Finance.
I'm not going to pretend to be a lawyer, but I don't see a lot of parallels between this and e.g. using SQL injection to obtain unauthorized access to a system.
I'm not a lawyer either, but I suspect the technical structure is not determinative. Contract law has certain features. These technical constructs purport to enable contracts to be written and executed such that subsequently the courts cannot but find that what the code did is final and there is no possible legal reconsideration. Clearly, this is the prior expectation of the parties, but whether it is the case under all circumstances is a function of contract law (and other applicable law) not the technical constructs. The code is not what will finally be determinative.
To give an analogy, it's like writing code in a high level language and saying that it will prevent side channels such as spectre. But such side channels are a function of the hardware, not the high level language. The hardware in defi is ultimately the law, not the servers.
> I suspect the technical structure is not determinative
Correct. The courts care about intent, structure is secondary.
This is the classic “you don’t get to walk into my house just because you found an unlocked door” that HN users struggle to understand when the digital equivalent is under discussion e.g. an unsecured API.
> This is the classic “you don’t get to walk into my house just because you found an unlocked door” that HN users struggle to understand when the digital equivalent is under discussion e.g. an unsecured API.
Except this is not how DeFi and dApps work. The network is decentralized. At no point was any unauthorized access to a system performed. This is not the same as entering private property through an unlocked door, or using SQL injection to gain unauthorized access to a system.
This is not to say Medjedovic is innocent; he made extortionist threats, and gleefully admitted he stole money from people, so wire fraud charges seem obvious. As you say, the courts care about intent, and his intent was clear. But you can't apply the normal charges of accessing a computer without authorization here.
My example was an meta comment about how HN users confuse means vs motive.
In this particular case, however, we’re talking about fraud not unauthorised access, see a very similar case here which resulted in a conviction: https://www.justice.gov/archives/opa/pr/man-convicted-110m-c...
> his intent was clear
Would it be fair to say his intent was to enrich himself by using this platform's features ? And bonus points: "is that a crime" ?
You can look through the indictment yourself - https://www.justice.gov/usao-edny/media/1388036/dl?inline
Among other bits:
> MEDJEDOVIC understood that his conduct circumvented the intended functioning [...] MEDJEDOVIC discussed a plan to "steal crypto," referred to the exploit as involving "glitch" and "fake" liquidity, and described the code for the exploit as a "rape."
> MEDJEDOVIC also prepared a "POST-EXPLOITATION" plan for himself, which included, among other things, "KEEP the configs Burn the evidence, including the histfile" and "Book flight to: Pack Bags," as well as another file labeled "Decisions and Mistakes," in which he wrote, "Going On the run / Yes / Chance of getting caught<Payoff for not getting caught"
> Immediately after obtaining the flash loan, MEDJEDOVIC wrote "Raping Now" in the public event long for the transaction.
There's extremely strong evidence that he believes he's committing a crime, and specifically "steal[ing] crypto" in his own words, so yes. And when you have records effectively saying "I believe I am committing a crime", it becomes a lot easier to convince a jury you committed a crime.
Thanks for this; so we have: wire fraud, money laundering, and an interesting charge “unauthorized damage to a protected computer“ that sees the Ethereum EVM as a distributed computer…
Yeah, this one is very interesting; the charge is for "intentionally caus[ing] damage without authorization to one or more protected computers, including the Ethereum Virual Machine (EVM), which was implemented through, among other nodes, a full Ethereum node running in the Eastern District of New York."
This seems ambitious. The implications seem quite dire; if I'm running a full Ethereum node do I have the ability to say which smart contracts are "authorized" to execute on my implementation of the EVM? If I see a smart contract do a trade I don't like, is someone committing a crime against me? I don't think this will stick if Medjedovic ever goes to court.
His intention was to defraud the DAO; similar case that resulted in conviction: https://www.justice.gov/archives/opa/pr/man-convicted-110m-c...
The entire point of cryptocurrency contracts is supposedly that “code is law”. Running to the courts as soon as someone does something you didn’t intend only highlights that people don’t actually believe this.
We've known this since Ethereum forked in the DAO debacle.
We have, it’s just yet another counterexample that tanks the arguments of True Believers.