The big difference is that those are centralized systems owned by corporations, and accessing them in a way which you're not supposed to, such as by changing a bank account number or exploiting a zero day, is a crime.
With DeFi it's different; the code is public and decentralized. There was no unauthorized access to anything here. From my reading of what was done, it was essentially taking advantage of the poor trading strategy of Indexed Finance.
I'm not going to pretend to be a lawyer, but I don't see a lot of parallels between this and e.g. using SQL injection to obtain unauthorized access to a system.
I'm not a lawyer either, but I suspect the technical structure is not determinative. Contract law has certain features. These technical constructs purport to enable contracts to be written and executed such that subsequently the courts cannot but find that what the code did is final and there is no possible legal reconsideration. Clearly, this is the prior expectation of the parties, but whether it is the case under all circumstances is a function of contract law (and other applicable law) not the technical constructs. The code is not what will finally be determinative.
To give an analogy, it's like writing code in a high level language and saying that it will prevent side channels such as spectre. But such side channels are a function of the hardware, not the high level language. The hardware in defi is ultimately the law, not the servers.
> I suspect the technical structure is not determinative
Correct. The courts care about intent, structure is secondary.
This is the classic “you don’t get to walk into my house just because you found an unlocked door” that HN users struggle to understand when the digital equivalent is under discussion e.g. an unsecured API.
> This is the classic “you don’t get to walk into my house just because you found an unlocked door” that HN users struggle to understand when the digital equivalent is under discussion e.g. an unsecured API.
Except this is not how DeFi and dApps work. The network is decentralized. At no point was any unauthorized access to a system performed. This is not the same as entering private property through an unlocked door, or using SQL injection to gain unauthorized access to a system.
This is not to say Medjedovic is innocent; he made extortionist threats, and gleefully admitted he stole money from people, so wire fraud charges seem obvious. As you say, the courts care about intent, and his intent was clear. But you can't apply the normal charges of accessing a computer without authorization here.
My example was an meta comment about how HN users confuse means vs motive.
In this particular case, however, we’re talking about fraud not unauthorised access, see a very similar case here which resulted in a conviction: https://www.justice.gov/archives/opa/pr/man-convicted-110m-c...
> his intent was clear
Would it be fair to say his intent was to enrich himself by using this platform's features ? And bonus points: "is that a crime" ?
You can look through the indictment yourself - https://www.justice.gov/usao-edny/media/1388036/dl?inline
Among other bits:
> MEDJEDOVIC understood that his conduct circumvented the intended functioning [...] MEDJEDOVIC discussed a plan to "steal crypto," referred to the exploit as involving "glitch" and "fake" liquidity, and described the code for the exploit as a "rape."
> MEDJEDOVIC also prepared a "POST-EXPLOITATION" plan for himself, which included, among other things, "KEEP the configs Burn the evidence, including the histfile" and "Book flight to: Pack Bags," as well as another file labeled "Decisions and Mistakes," in which he wrote, "Going On the run / Yes / Chance of getting caught<Payoff for not getting caught"
> Immediately after obtaining the flash loan, MEDJEDOVIC wrote "Raping Now" in the public event long for the transaction.
There's extremely strong evidence that he believes he's committing a crime, and specifically "steal[ing] crypto" in his own words, so yes. And when you have records effectively saying "I believe I am committing a crime", it becomes a lot easier to convince a jury you committed a crime.
Thanks for this; so we have: wire fraud, money laundering, and an interesting charge “unauthorized damage to a protected computer“ that sees the Ethereum EVM as a distributed computer…
Yeah, this one is very interesting; the charge is for "intentionally caus[ing] damage without authorization to one or more protected computers, including the Ethereum Virual Machine (EVM), which was implemented through, among other nodes, a full Ethereum node running in the Eastern District of New York."
This seems ambitious. The implications seem quite dire; if I'm running a full Ethereum node do I have the ability to say which smart contracts are "authorized" to execute on my implementation of the EVM? If I see a smart contract do a trade I don't like, is someone committing a crime against me? I don't think this will stick if Medjedovic ever goes to court.
His intention was to defraud the DAO; similar case that resulted in conviction: https://www.justice.gov/archives/opa/pr/man-convicted-110m-c...