The sensational $60 million theft from “The DAO” has sparked a fundamental debate about decentralization.

Before I begin, the usual disclaimer: I am not a lawyer. I do not hold ether or DAO tokens. This article takes no sides and contains no legal advice.

What is The DAO?

The DAO is a decentralized venture capital fund built on the world’s second most valuable network for digital currency, Ethereum. Unlike a traditional VC fund with human managers and bank accounts, The DAO was built entirely from computer code.

The DAO fund raised more than $160 million in May 2016, making it the world’s largest crowdfunding project. It was designed by the German-based company, Slock.it, a team of talented Ethereum pioneers led by Stephen Tual and Simon and Christoph Jentzsch. Once funded and launched, the intention was that The DAO would be governed entirely by its computer code and “never be centrally managed”. According to its website:

The DAO is borne from immutable, unstoppable, and irrefutable computer code…its software operates autonomously and its by-laws are immutably chiseled into the Ethereum blockchain… The DAO’s code controls and sets forth all terms of The DAO Creation.

The computer code that created The DAO is called a smart contract; once it has been deployed to the decentralized Ethereum network, its functions are triggered automatically, and designed so that they cannot be controlled by any single authority.

The End of Lawyers?

Ethereum developers as a group have been outspoken about their goal to disrupt lawyers and the legal profession with their smart contract platform. The instructions of a smart contract and its transactions are transparent, time-stamped, auditable and, in theory, irreversible. In a true decentralized system, the rules cannot be changed. So, in theory, at least, the code is the legal contract.

However, since the launch of The DAO an estimated $50 million has been diverted by a single individual who discovered and exploited a bug in its code. This individual is an unidentified investor in The DAO, and his actions have undeniably damaged the other partners in the project. Even worse, as a result of this debacle Ethereum lost $500 million in market cap in 24 hours. According to the computer code of The DAO the lost funds are to be held in a child DAO until 14 July, 2016. If nothing is done before that date, the attacker will be able to spend the stolen funds.

Proposals

Developers of Ethereum and The DAO have scrambled to look for a solution. Proposals to change the rules by:

A) Rewriting the code through a soft fork — which would require 51% consensus from Ethereum’s miners, and

B) Executing a hard fork, which would require all participants in the ecosystem to upgrade their software

have caused a great deal of controversy. As of today, only the hard fork proposal would actually refund the money to the original investors; the soft fork would merely freeze the funds and prevent the attacker from absconding with them.

Obviously, both of the proposed forks violate Ethereum’s promise as “a decentralized platform for applications that run exactly as programmed“. The exact phrase taken from Ethereum’s website is:

Ethereum is a decentralized platform for applications that run exactly as programmed without any chance of fraud, censorship or third-party interference.

Clearly, if either fork were implemented, this statement would not be true, and could potentially open the Ethereum founders to lawsuits for breach of contract. Similar descriptive material from The DAO‘s website suggests liability for Slock.it, who are actually responsible for the code the attacker exploited. It’s also worth noting that even beyond the Slock.it team, many notable Ethereum founders, including Ethereum’s inventor Vitalik Buterin, are specifically named as “curators” of The DAO. These curators are individuals with special but limited abilities designed to verify and control obvious fraudulent activities. There isn’t now, and may never be, any restrictions to prevent people from working on both sides of the line.

Professor Emin Gün Sirer at Cornell has furthermore shown that the attack was not only a result of weaknesses in The DAO‘s smart contract, but also misfeatures in Solidity, the coding language of Ethereum as well as in the EVM, the environment in which the code is executed.

In the meantime alternative proposals are being discussed. A suggestion put forth by Charles Hoskinson, a former CEO of Ethereum and current topman of IOHK, would be to persuade Ethereum’s miners to voluntarily contribute a percentage of their mined ether to compensate users of The DAO for their losses. He argues that this approach would be preferable to the losses the miners would suffer in the value of ether in the case of a fork or if nothing whatsoever were done. Investors in The DAO obviously facing catastrophic losses have reacted by selling their DAO tokens and campaigning the developers to issue a refund.

The Attacker’s Voice?

To complicate the issue even further, someone claiming to be “The Attacker” anonymously posted an open letter in which he asserted that “my action is fully compliant with United States criminal and tort law” based on the terms of the agreement, the actual code of the smart contract itself. In his view he received the funds legitimately, simply by executing the terms of his agreement, and threatened legal action against any attempt to fork or change this result. While the text of this letter is thought provoking, its digital signature is fake. These kinds of phony messages are commonly used to increase trading activity as investors try to predict how the issue will be resolved. The price of ether and DAO tokens is down dramatically, while the price of Bitcoin remains close to its 12-month high. Since no fixes against the attacker’s exploit have been made, there have already been a number of copycat attacks to The DAO with more likely to follow.

The Dutch Case

It seems that instead of hastening the end for the legal profession, lawyers and regulators may actually find themselves with even more work to do. Pamela Morgan, a lawyer and CEO of Andreas M. Antonopoulos’ company, Third Key Solutions, recently suggested that a failure by either Ethereum or The DAO to establish a legal jurisdiction could mean that any conflict arising from the attack could play itself out in any number of jurisdictions. In the case of Dutch holders of ether or DAO tokens, it might be possible to introduce lawsuits to the courts in The Netherlands.

If you invested in The DAO, it seems likely under Dutch law that you can claim a reasonable expectation that your funds be invested in projects, not stolen by an attacker. In theory you might file a damage claim against the creators of The DAO for the failure of the code to perform as it was advertised. Rather than simply looking at a contract literally, the way that it was written, Dutch law (reference Haviltex arrest) also gives strong and reasonable consideration for the actual intention between parties. In this case, clearly, and practically no matter what the attacker claims, the exploit was not part of the original intention of The DAO, and his claim to the funds on those purely technical grounds cannot be legitimate. Simply saying that the computer software is complicated or that it has no intention doesn’t leave the developers off the hook. Dutch law gives the judge the discretion to cut through the complexity of a contract and go back to basics. In this scenario, both the immediate shocked reaction of DAO token holders and the fact that The DAO‘s creators have expressed willingness to redress the damage caused by the attack through a hard or soft fork, further supports this idea.

Who Should Shoulder The Blame?

To illustrate this point, consider just for the sake of argument, the dramatic case of an autonomous weapon used to commit war crimes by a terrorist organization. Imagine that when forced to stand trial, the terrorists themselves deny they did anything but possess the weapon, and that the device simply misfired. The weapons manufacturers will naturally disavow responsibility for the invention, even if it runs amok and commits war crimes, whether there is a flaw in its design or not. Once the product leaves the factory, they reason, the responsibility shifts to the user. Assuming that the courts understand the issues at stake and act in the public interest, rather than siding with the most expensive lawyers, it’s possible for the blame to be divided between terrorists and manufacturers, as each may have had a substantial share of the crime.

Vinay Gupta, a strategic architect for Consensys and a former representative of the Ethereum foundation, has stated that the burden of responsibility for The DAO attack will likely be shared. He’s also talking about substantial legal exposure, particularly in the U.K. jurisdiction.