Note: None of this is legal advice

The Parity wallet is one of the products offered by Parity Technologies Limited under a free software license. To be perfectly clear, the Parity wallet does not operate like a bank and it does not actually store cryptocurrencies. It is a type of digital wallet that serves as both a wallet and an interface between the Ethereum platform and your computer. But instead of storing your money, it stores your public and private keys (a bunch of random numbers used to encrypt and decrypt code), and allows you to send and receive cryptocurrencies.

On 20 July 2017, Parity updated and deployed the ‘library’ smart contract in order to fix a known vulnerability. This contract contained a new vulnerability which allowed anyone to assign them self as the owner of the ‘library’, which in turn allowed the owner to ‘kill’ the library. On 6 November 2017 the said vulnerability was triggered ‘accidentally’ by someone by the name of devops199. As a result, all wallets that were dependent on the library became paralyzed — that is a total of 584 wallets containing 513, 774.16 ETH or approximately US$243 million at time of writing.

Let’s say you physically possessed a safe that held your private key. Well devops199 disabled the electronic pin pad that would have enabled you to access its contents.

The questions

The triggering of the vulnerability raises many legal questions such as:

Who is responsible for the vulnerability (devops199? Parity developers?)

What recourse do users and businesses have against Parity Technologies Limited?

To what extent do free software/open sourced software licenses and legal disclaimers limit the service provider’s liability?

Could devops199 be facing criminal charges or civil claims under the Computer Fraud and Abuse Act?

This also raises other business related concerns about using a free, open sourced, unregulated software service where significant amounts of cryptocurrencies are at stake. Should investors and businesses be trusting their crypto holdings with a software provider that is uninsured, has no government backing, and has expressly stated that they have zero liability – even when they are negligent?

The potential contractual relationships

1. Parity and User/Business User — governed by Terms of Website Use and GNU General Public License (GPL).

2. Parity and devops199 — governed by Terms of Website Use; devops199 may have breached one of the terms by using the site for a ‘prohibited use’ (see below). It may also be possible for Parity to claim damages against devops199 under the Computer Fraud and Abuse Act (see below).

3. User/Business User and devops199 — no contractual relationship. It may be possible to claim damages against devops199 under the Computer Fraud and Abuse Act (see below).

4. Business User and their customer — recourse depends on any contractual relationships between the parties. If a business held the frozen crypto on trust or on behalf of their customer under a contractual agreement, then the business may have to cover the lost funds. Similarly, if the frozen crypto was delivered to the business in return for a good or services (e.g deliver fully functional tokens post-ICO), the business would still be bound by any contractual promises it made irrespective of whether the frozen funds are recovered.

The diagram below from Elementus reveals the main wallets affected. According to Elementus, at least 16 of the affected wallets are associated with companies that have raised money via an ICO.

Software liability

Could there be a claim for damages under tort law? It could be argued that Parity owed a duty of care to its users as there was a foreseeable harm (Parity had been alerted to the vulnerability in August but decided to delay the fix to a future point in time), the degree of certainty that the users would suffer injury was extremely high (due to the large sums of value stored and as evidenced by recent high profile hacks such as The DAO, Mt Gox) and yet there was no formal audit.

This Reddit user claiming to work for Parity admits that they “rushed” and “forgot” to execute a key piece of code resulting in the vulnerability.

The standard of care may be higher due to claims that it is “The fastest and most secure way of interacting with the Ethereum blockchain.” and “Ultra Reliable”. However as this article states, establishing the causation may be difficult so long as courts choose to fixate on the hacker, not the environment-creator, when assessing who brought about the injury in question. US courts have previously focused on the role of the hacker instead of considering the role of the software developer in creating an environment susceptible to exploit.[1]

General Public License

Parity is licensed under the GPLv3, or GNU General Public License version 3 which guarantees end users the freedom to run, study, share and modify the software. An excerpt from the license:

According to this clause, it seems that Parity may be protected from claims for damages from the inability to use the program, depending on whether an applicable law states otherwise or something else was agreed to in writing. Applicable laws could vary depending on state or jurisdiction, however it appears that all users would have also agreed to a similar limitation of liability clause in the Terms of Website Use (see below).

Terms of Website Use

Here is an excerpt from Parity’s Terms of Website Use:

Recourse against Parity may be difficult as it appears that users of the site would have agreed to the Terms of Website Use. Depending on the state or jurisdiction, such limitation of liability clauses may be disfavored or even unenforceable. Some US states have refused to enforce the clauses for a number of reasons, including finding the clauses violative of the specific state’s anti-indemnity statute, or holding that they are unenforceable as against public policy.[2] Whether or not the Terms and/or the GPL will override any negligence claims will be a question for the relevant courts to decide.

Elsewhere across the globe, Australian regulators are starting to look beyond the code. Below are recent quotes from the chairmans of the competition regulator (ACCC) and securities regulator (ASIC) suggesting an approach that focuses more on the actions of the technology company: