This is an article about exploits on blockchains, and how we approach them as a community.
I'd like to highlight up front that this doesn't contain any call to action. I'm not a lawyer, high octane developer or influencer, but I've been around for long enough to see history rhyme. With that said, I've been asked a few times now to flesh out what I think 'code is law' means (to the degree that it means anything at all).
As with my other writings, don't expect much by way of cohesive structure: it's a braindump that I want to look back on in years to come and see if my opinion has changed.
I'm a great lover of the EVM and other models (such as WebAssembly) that enable Turing-complete program execution in an adversarial, pay-to-play environment. My PhD thesis was on creating compilers that target stack-based languages exactly like the EVM, and I have huge affection for languages like Solidity that elegantly compile into it. The language semantics alone pulled me away from a career in banking - where I was programming around money - and into Ethereum, where I can program money directly.
As any Ethereum developer will tell you, though - the opportunities granted by Turing-completeness come with its own set of problems: testing being foremost amongst them. We've made great strides in fuzzing and formal verification techniques, but the whole paradigm is still very much in its infancy. People will write or reuse code that contains a flaw such as re-entrancy, or they'll write something that makes a simplifying assumption in order to save on execution costs that turns out to subsequently be vulnerable. They'll accidentally brick access to a core data structure, or mistakenly allow people to arbitrarily claim the balances of others.
As any software developer will tell you, programming is a wilful manifestation of intent: a conscious effort to formalise the process of getting something done: we write code to perform specific tasks according to a mental model. There's a spectrum for the scrutiny that that code receives depending on its purpose - you wouldn't spend much time searching for edge-cases in a program that handles your personal to-do list, for example - but code deployed on blockchains is excoriatingly important to get right: you're writing intent that natively handles other peoples money, with vanishingly few chances at winding back the clock if you got it wrong.
And yet - in light of a small pool of truly skilled EVM developers, an even smaller, very busy pool of auditors and the occasional bug that quite simply hasn't been seen before - exploitable on-chain code gets through the cracks, and is deployed to mainnet.
I'd like to talk about what happens when such code is misused. That's not to say that I'm uninterested in flaws at the protocol level (such as the two Bitcoin inflation bugs, CVE-2010–5139 and CVE-2018–17144), but these are a category apart - fundamental errors in the water, rather than issues with the fish that swim in it.
The story is always the same at this point. A confused tweet or Telegram message appears saying that something is afoot with some DeFi/NFT project - occasionally pointing at an Etherscan transaction - and an announcement is made on whatever platforms said projects utilise:
"Something has happened and we're investigating: we'll update you when we know more".
And in the replies: chaos.
The crypto-native community splits immediately into two camps. Those that rush to assist with root cause analysis, tracking of funds or general well-wishes, and similarly those that delight in the confusion and carnage - either mocking from the sidelines, lionising the exploiter, or messaging people who have publicly announced losses in an attempt to phish them to exploit them further.
If the root of the exploit has already been previously identified (or is a mild variant thereof), strips are torn off of people involved for poor oversight. If it is novel, within 48 hours people who have never written a line of code in their life will confidently assert that it was incredibly obvious and that only the novice or malicious would have overlooked it.
Three days pass. No one talks about it anymore except for the affected.
Then the next protocol is exploited, and the wheel turns again.
Some of those that previously proclaimed that what had happened was "based" are hit for non-trivial amounts of their own net worth, and seek sympathy that they had previously denied. Some of those that were affected by the last exploit pour fuel on the new fire, out of a sense of revenge against those that weren't there for them when they were affected.
Send not to know for whom the bell tolls. It tolls for thee.
Crypto is one of the best examples currently going of a tabula rasa. By this, I mean that nearly everyone who comes to it - with an intent to actually engage with it - treats crypto as a blank slate, upon which their own philosophy, politics and worldview get projected.
Fundamentally, a protocol like Bitcoin is pretty boring: it enables pseudonymous, peer-to-peer transactions. That's not to say that the ability to make such transactions isn't a massive improvement upon the status quo that we were all brought up to accept as normal: it is! Rather, that's all that Bitcoin - when initially released - ever was or purported to be: a cypherpunk demonstration that commerce could subvert banks and clearing-houses.
The presumption that it was built to destroy governments, "act as the cure to all humanities ills" (I've seen this in the wild before), or even that Bitcoin could or should act as a store of value - these are all side-effects of the attitudes that people brought to the table and assigned to Bitcoin. The toxic maximalism that pervades its community on the whole is a result of the loudest voices in the room asserting that "this is what Bitcoin represents".
Ethereum is no different, but significantly more complex. We don't often hear the term 'global computer' anymore when discussing it, but that's all that it is: a credibly neutral platform for executing Turing-complete code, maintained in a decentralised manner using - currently - proof-of-work for consensus.
One of the most toxic projections I've seen appear in non-Bitcoin crypto is 'code is law', at least in the guise that anything that happens on-chain is - either implicitly or explicitly - fair game, because that's what was permitted in exploited code. I'm old enough to remember the same takes being applied to the early internet, when "if you put your credit card details onto a site, you deserve everything you get" was a drumbeat.
This take seems - to me - to derive from the belief that everything on-chain works in a void, and that we've abandoned a thousand years of legal precedent simply because crypto isn't fully embedded in society yet. I don't think this is true at all, but saying as much absolutely splits crypto aficionados in half.
I put a lot of the blame for this on the adoption and usage of the term 'smart contracts'. There's still a lot of muddy water when it comes to whether the notion of contract in a legal sense applies when engaging with on-chain code, and it sources infinitely many poor takes in the aftermath of every exploit that always go along the lines of "well, the exploiter didn't sign a piece of paper saying that they weren't going to use it in such-and-such a way".
Stop making this atrocious argument. I beg you. Contracts can be - and frequently are - created by conduct. You don't sign a contract every time you drive into a car park, or whenever you put money into a vending machine, but no one sane reading this is going "there's absolutely nothing wrong with breaking the glass of a vending machine and taking everything inside, I was allowed to do it". You aren't signing a contract when you put your details into a newsletter subscription page, but you're still rightfully annoyed and want intervention when that data is leaked.
Vitalik - as usual - is right here. We'd save ourselves a lot of pain if we'd used 'persistent scripts' instead. The damage is done at this point though, so this is just a howl into the void.
I see the above as the root conflict between the original cypherpunk vision of early Bitcoiners and "global parallel financial system that subverts intermediaries" view of the in-it-for-the-tech crowd. I don't think Ethereum was created with nearly the same focus on anonymity - we know who the creators are, for a start -, and use the aforementioned description of Ethereum as global computer when it comes to my thinking about it.
Coming at it from a purely cypherpunk perspective, the ability to efficiently wash digital assets cryptographically (if you're not a fool) leads quickly to the position "why would I ever pay tax on this?". It's an easy exercise to use that as the premise of a modus ponens that ends with "therefore all state oversight fails". I can appreciate the former point, I just don't agree with the conclusion.
You know what else works really well for enabling tax evasion if you're careful about where you keep it and move it around surreptitiously? Cash. And we - as a species - are very good about using it as such. And yet, we see the theft of cash as a civil wrong. Curious.
The lack of legal precedent establishing that on-chain code is not law in the free-for-all sense comes purely from the fact that it's hard to establish the identity of perpetrators, and that "justice" - if you believe that that's the appropriate word - can only ever be restorative in nature. In time, this dearth of precedent will eventually end: God gives her toughest battles to her soldiers with the weakest opsec.
I should point out here that I'm even split internally about what comprises an act that deserves legal intervention - I do have a streak of cypherpunk in me! Context matters a lot here, and I'll go to my grave defending the actions of, for example, anonymous white-hats who drain a protocol (assuming that no externalities happen such as LP collapse) with the intent of returning everything - modulo a bounty - once a critical vulnerability has been patched.
It's worth pointing out that I do believe in a version of code is law! Personally, I take it to mean that transactions are probabilistically final after a certain number of blocks, and that the execution of code cannot be censored by a miner or validator: that doesn't mean that said code execution doesn't comprise an offensive act. What I imagine most people will consider the genesis for this version is the exploit of The DAO and subsequent hard-fork of Ethereum back in 2016.
While there's a fairly convincing argument to be made that we now know who performed the exploit of The DAO - bad opsec stays losing - at the time we were all completely in the dark, and the choice was made to fork Ethereum to a state where all the Ether within The DAO could be claimed by burning DAO tokens via a separate contract. This decision was made after reaching social consensus - it was the first instance of on-chain code driving a protocol shift, and demonstrated that humans - Layer Zero - are the ones that truly govern the way that this all works.
Given that those that believed that the fork was a mistake went and stayed on Ethereum Classic - currently outside the top 20 cryptocurrencies by market capitalisation - I considered that proof enough that 'code is law' in the sense that exploiters use it had been thoroughly rebuffed. I'm interested to see if there'll ever be any legal action taken against the DAO exploiter, as that might put some new nails into this six year old coffin.
It's interesting to me that third-generation blockchains such as Kusama - Polkadot's canary network - are now baking in the ability to implement such social consensus rulings at the governance level. Back in October 2021 an exploit was detected on Karura, a DeFi hub platform built on Kusama, which was swiftly reversed via a contingency pallet and subsequent recovery of funds. In my view, the very existence of this capability serves as a rejection of the militant view of "code is law" and embrace of what I call Layer Zero supremacy, at least from the developers of such networks that are designed for global adoption.
It remains to be seen how much overlap there is between Layer Zero supremacy and state-mandated interventions: for example, I would vigorously defend the rights of a global governance body to refuse a court order to seize the funds of wallets identified as belonging to citizens of a sanctioned nation.
So, that's all I think I have to say on this. In my view, humans are in charge, humans get to make decisions about whether on-chain activity is legitimate or not, and the overriding coordination mechanisms we have at present to guide us are the principles of common law.
It's all Layer Zero.