Blockchains, Smart Contracts and the Law

…unravelling the legal issues surrounding The DAO

The public debate following the spectacular implosion of The DAO is a good reminder of two things: laws are always going to struggle to keep up with the pace of change in the crypto space; and we can’t necessarily rely on the legal system to solve all of our problems.

As The DAO’s ETH was being drained, the legal questions began. Is this theft? Is it a breach of The DAO’s contract? Would a fork of the Ethereum blockchain be a breach of contract? Could the attacker sue the Ethereum developers for breach of contract? What could regulators like the SEC do?

All of these boil down to a more fundamental question: what could the law do to help prevent or fix a problem like The DAO? Of course, laws aren’t the same everywhere. But there are a lot of common concepts, even across different legal systems, that can help us break down the issues.

Is The DAO a corporation?

Modern legal systems are designed to allow organizations, as well as actual, real people, to participate. Most legal systems do this by giving organizations some of the legal powers that real people have — e.g. the power to enter into legal contracts, to sue, and to be sued.

But organizations don’t just automatically get these powers. Usually, the organization has to go through a process called incorporation — the forming of a corporation. Incorporation requires legal documents, registration with the relevant government agency, and, most importantly, the agreement of actual, real people, to form a corporation.

There was no incorporation process for The DAO. The token holders of the DAO did not agree to form a corporation. In fact, they didn’t agree to much at all, as we’ll discuss below.

The DAO is not a corporation. Not being a corporation is one of the main features of a distributed organization — that it does not rely on corporate law in order to function.

OK then, is The DAO a partnership?

In many legal systems, a group of people that isn’t a corporation can still operate a business together as a partnership. A partnership is much easier to form than a corporation — it doesn’t usually require registration or legal documents. It just requires that the people involved jointly own and operate a business together.

The explanation of terms of The DAO specifically states “DAO tokens do not represent or constitute an equity ownership stake, share, or equivalent in ANY public or private company, corporation, or other entity in any jurisdiction.”

Reduced to the most basic level, the only connection that token holders have with each other is that they happened to send ETH to the same smart contract address on the Ethereum blockchain (or bought tokens after their creation), with an expectation that the smart contract code would execute. Nothing in that code gives them an expectation or ownership interest in a business.

Token holders can’t prevent anyone from becoming a token holder. Generally in a partnership, the existing partners can decide whether or not to bring in new partners. Conceptually, it’s hard to imagine that I could be carrying on a business jointly with people all over the world, who I have never met, who can join and leave the business as quickly as their trading algorithm can execute orders on an exchange.

A partnership can be implied by conduct, but that probably isn’t the case here, because The DAO didn’t operate a business. The DAO probably isn’t capable of operating a business (at least not without human help). Even if it did, the token holders probably wouldn’t have an ownership interest in that business.

The DAO is probably not a partnership. Although a number of people have taken the opposite view, the stronger argument is that The DAO is not a partnership, for the reasons above.

The DAO is not a legal entity. There have been a number of comments about the need to ‘wrap’ distributed organizations in some form of legal entity. But this kind of misses the point — because it would constrain distributed organizations to the operational requirements under existing corporate law. If the objective is to develop decentralized, more efficient, and transparent type of organizations, then the technology needs to drive changes in law, not the other way around.

Is The DAO a legal contract?

Smart contracts were initially envisioned as having the potential to replace or supplement legal contracts for some functions. But there’s a persistent myth that smart contracts are inherently legal contracts. This is not true. In fact, the main perceived feature of smart contracts is the ability for code, rather than law, to govern. The concept of code displacing law has been around for some time.

A contract is simply a legally binding agreement. In order for a contract to exist, at least two legal entities have to agree to terms, and there must be a transfer of value between them (consideration).

Everyone who sent ETH to the DAO to create tokens agreed to a set of terms — but that doesn’t necessarily mean that there was an enforceable legal contract. The main question is whether or not there are actually two or more legal entities involved. We know that The DAO is not a legal entity. We also know that each token holder’s decision to send ETH to The DAO is not contingent upon any other token holder, and that there is no agreement between token holders. Finally, there isn’t any agreement between token holders and the creator of The DAO’s code, slock.it (note the absence of terms like ‘we’, ‘us’, or ‘slock.it’ — which you would expect to see in a standard terms of service contract).

The DAO doesn’t involve a legal contract. Token holders certainly had expectations about what should happen with the ETH they sent to The DAO, based on the code of The DAO. But this isn’t a legal contract, because The DAO isn’t a legal entity that is capable of agreeing to anything. The DAO is a compilation of code on the Ethereum blockchain — nothing more, nothing less.

So if The DAO’s creators take action against the attacker, can the attacker sue them for breach of contract?

No. An open letter from ‘the attacker’ did the rounds earlier this week, claiming that the attacker could take legal action against the creators of The DAO’s code, Slock.it, as well as the Ethereum developer team. As we know, there’s no contract between The DAO and any token holder, including the attacker. No contract = no breach.

How about the Ethereum Foundation, developers, or miners? Could the attacker (or anyone else) sue them?

No. Even though there was a contract in the terms and conditions for the Ethereum presale, those terms don’t apply to the functioning of the Ethereum protocol or network. The ETH presale terms don’t create any contractual or other legal rights for anyone who holds ETH, and they don’t give anyone the right to bring an action for changes to the Ethereum protocol or network.

Ethereum and Bitcoin (and other decentralized open blockchains) operate without relying any legal contracts. And that’s kind of the point. The most important function of a decentralized open blockchain is to enable consensus-based truth, which is very different to trust derived under a legal system.

A legal system enables participants to interact with one another because the system has the ability to resolve disputes between participants. If you breach our legal contract, I can sue you to force you to honor our agreement, or to pay me damages.

On the other hand, transactions on an open blockchain don’t require the threat of legal enforcement to be effective — they are effective because the blockchain provides a statement of truth. The blockchain itself doesn’t require any legal system to underpin it.

That said, the complexity of transactions that can currently be supported on public blockchains (without a legal structure) is still limited at this stage. Sending and receiving value works well. Creating distributed organizations like The DAO is much, much harder.

It’s unlikely that anyone could sue the developers or miners of an open public blockchain for making changes to the protocol, because there is no legal contract, or other obligations between them. Even if their actions were in bad faith (e.g. a 51% attack), there would be serious hurdles in establishing a criminal or civil case. The same goes for a criminal or civil case against the DAO attacker, as follows.

Was this a crime? Or could token holders bring a civil law action against the attacker?

Here is a good analysis of the range of criminal and civil law actions that might be available against the attacker.

One hurdle to establishing a criminal or civil case is the question of ‘who actually owned the ETH that was taken by the attacker?’ Let’s think about how the funds move: token holders no longer have possession or ownership of the ETH they sent to the DAO (they exchange ETH for DAO tokens). As soon as the transaction is confirmed, the ETH is held in The DAO contract, which is arguably not within anyone’s possession or control.

There are other questions too, around whether the ETH was really taken without consent (theft) or taken with consent (not theft). The attacker might argue the recursive call of the ETH was done ‘with consent’ because the code executed as intended. This argument might be difficult to run, especially considering that The DAO is not a legal entity capable of consenting, but it’s not inconceivable.

There are also specific criminal laws — for example, the Computer Fraud and Abuse Act (CFAA) in the US, which cover unauthorized access to computers. The most reasonable view is that interacting with an open, public blockchain is not ‘accessing a computer without authorization’, but the CFAA has been interpreted very broadly in the past. Side note: applying the CFAA to transactions on open, public blockchains could be a really, really bad thing, for a number of reasons.

There would also be serious challenges in bringing a civil action under tort law, even if the attacker can be identified. As we know, The DAO is not a legal entity and cannot sue anyone. It’s also unclear how a court would treat an action brought by token holders who don’t actually own the ETH that was taken from The DAO.

It’s still possible that a court could decide the attacker is liable under tort law, or other legal principles such as unjust enrichment, but there would need to be an expansion of existing legal principles in order for that to happen.

As we know, the law evolves slowly. Right now, succeeding in a criminal or tort law action against the attacker would be very difficult.

What might financial regulators think about all of this?

As a number of people have pointed out, there is a real possibility that The DAO’s crowdsale was an unregistered offering of securities under US law. The area of securities law, particularly in the US, is extremely complex. Most other jurisdictions have similar laws about collective investments.

For example, one of the elements of the Howey Test — explained well by CoinCenter — is that the expected profits will depend on the efforts of someone other than the investors. Again, the fact that The DAO is not a legal entity muddies the waters here. No legal entity is in possession or control of the funds raised, and no legal entity manages the activities of The DAO. This might mean that the profits of the enterprise are not ‘solely dependent on the efforts of the promoter or a third party’ — because the profitability of The DAO would have depended on all of the token holders voting for profitable things to do with all that ETH.

Having said that, it’s entirely possible that a court could expand the interpretation of the Howey Test to cover this scenario — and you probably wouldn’t want this point being the only thing standing between you and the SEC.

Final thoughts

What’s clear is that The DAO has failed. What’s less clear is how the legal system could have been used to prevent this failure without basically defeating the purpose of The DAO to begin with.

Trying to find legal solutions to technical problems in systems that are designed to solve legal problems doesn’t quite make sense.

To make useful smart contracts, don’t rely on the law to plug holes. Make sure there are no holes, by careful testing and iteration. Build safeguards. Limit the monetary value held in any smart contract. All of this may well limit functionality and slow down development in the short term, but if the goal is to create truly trustless distributed applications, then it’s clear this is a marathon, not a sprint.

Obviously, nothing in this article is legal advice. All the opinions in this article are my own, and don’t necessarily represent the opinions of Coinbase or any other organization.

Disclosure: I created some DAO tokens in the creation phase. And no, I didn’t review the code before I did so.

Thanks to Sarah Hody, Jeff C, Linda Xie Shahab Asghar and Hayden Parker for reviewing this post.