The third article in our Blockchain and the Law series
On 17 June 2016, USD 60 million was siphoned from Ethereum’s first decentralised autonomous organisation (DAO). The affected DAO is simply (albeit confusingly) called “The DAO”, a digital, autonomously run investment-fund which, like traditional mutual funds, allows investors or “members” to purchase shares and enjoy returns based on its performance. As part of the heist, the attacker shifted the ether to a “Child DAO”, a kind of subsidiary of The DAO itself. For now, the ether remains in the Child DAO and in accordance with its programming, cannot be used for 28 days from the date of the attack. Members of Ethereum and the broader blockchain communities are emphasising that the exploited vulnerability was in the coding of smart contract within The DAO; the underlying Ethereum platform (as well as blockchain technology) is, they say, faultless in the incident.
Liability and insurance issues
From a liability and insurance perspective, the incident demonstrates a real-life example of the sorts of issues we have previously raised around this technology. Who bears the liability or risk for the loss in cases like this? While the answer of course depends on explicit agreements between the parties (captured in the smart contract or underlying traditional contracts), many have pointed out that the legal status of DAOs is not clear.
Will programmers who write flawed code have to respond to negligence claims brought by members of DAOs? Who can be insured against such liability? If insured, can insurers who pay out relevant insureds bring a subrogated claim in negligence against those coders or others? What is the true classification of an attacker’s conduct in such circumstances? While embezzlement and misappropriation of funds are familiar crimes in traditional company law, this analogous situation occurs in the unregulated realm of smart contracts and DAOs.
Next, if liability could be determined with confidence, jurisdictional issues surface. DAOs do not exist on one server within one jurisdiction; rather, as the name suggests, they are decentralised and operate across many. So where would a claimant commence an action against a particular DAO? And who, if anyone, would represent it? What could be the extent of their liability?
The attack also raises issues around the regulation of DAOs. If DAOs are to become common investment vehicles, will they eventually be subject to regulation in the same way as other financial products upon which livelihoods depend? While blockchain technology itself is still considered highly secure, The DAO attack shows that individual smart contracts operating upon blockchains may still be vulnerable. From an insurer’s perspective, where insureds participate in DAOs is it time to consider appropriate premium pricing where policies protect against theft or loss arising out of third party negligence?
The questions fast become dizzying and rather than leading to answers, each only seems to raise further issues. Some in the blockchain community will argue that such a traditional analysis of liability and the law is misplaced, and serves only to subject the technology to the oversight of the very establishment they were formed in response to. At any rate, if aspects of a case like this are litigated, courts may provide some much needed clarification and guidance on how we should view these entities and their participants.
While The DAO attack may in hindsight be viewed as a mere teething problem for the wider adoption of smart contracts, it has reminded stakeholders that the robustness of the blockchain architecture itself may not always prevent security breaches of flawed smart contracts.
For the moment, the community (and some outside it) will keenly follow any fallout from the attack. Some will hope that any resulting legal disputes may give rise to the first judicial commentary on blockchain and its related technologies.
Please click here to read the other articles in the series.