Unraveling the legal issues surrounding The DAO

The heated public debate over The DAO project has given us two good reminders: 1. The law needs to keep up with the times within the cryptocurrency industry; and 2. We cannot rely solely on the legal system to solve all our problems.

As The DAO’s ETH funds were drained, legal questions arose. Was this theft? Was this a violation of The DAO’s contract? Would a fork of the Ethereum blockchain constitute a breach of contract? Would the attacker sue the Ethereum developers for breach of contract? And what could regulators like the SEC do?

All of this comes down to a fundamental question: Can the law help prevent or resolve problems like The DAO? Of course, the law is different everywhere. But even across different legal systems, there are many common concepts that can help us solve related problems.

Is The DAO a company?

Modern legal systems are designed to enable organizations, entities, and people to engage in business. Most legal systems give certain people within an organization some tangible legal powers, such as the power to enter into legal contracts, and the power to sue and be sued.

But organizations do not automatically have these powers. Usually, organizations must be formed by forming a company, which requires a series of legal documents, registration with relevant government agencies, and most importantly, an agreement must be signed with a real natural person in order to form a company.

The DAO did not have a process to form a company. Because its holders did not agree to form a company. In fact, there are many things they disagree with, let’s discuss them as follows.

The DAO is not a company. The lack of a company is one of the main characteristics of a distributed organization, so functionally it does not rely on corporate law.

So, was The DAO a partnership?

In many legal systems, people who are not part of a corporation can still conduct business as partners. A partnership usually does not require registration or legal documents, so it is easier to form than a corporation. It just requires people to come together to conduct business.

The interpretation clause of The DAO project clearly states:

“DAO Tokens do not represent or constitute equity, shares, or other entities, whether public or private, in any jurisdiction.”

At the most basic level, token holders both happen to send ETH to the same smart contract address on the Ethereum blockchain (or purchase tokens after they have been created) under the expectation that the smart contract code will be executed. This code does not give the token holders the actual benefit they expected.

Token holders cannot organize others to become token holders. Generally speaking, in a partnership, existing partners can decide whether to bring in new partners. Conceptually, it is hard to imagine that I can run a business with people from all over the world. I have never seen people join or leave a business as fast as a trading algorithm executing orders on an exchange.

A partnership can be implied by conduct, but not in this case. Because The DAO did not operate a business. The DAO may not be able to operate a business (at least not without help). Even if The DAO did operate a business, token holders may not be able to receive the benefits of ownership in that business.

The DAO is not a legal entity. Some opinions have begun to emerge that some form of legal entity is needed to "constrain" distributed organizations. But this view ignores the fact that it will limit the development of distributed organizations that are allowed to appear in some business under existing corporate law. If the goal is to develop decentralized, more efficient, and transparent types of companies, then fundamental changes in the law need to be promoted, rather than using other forms.

Is The DAO a legal contract?

Smart contracts were originally conceived to replace or supplement some of the functions of legal contracts. Are smart contracts essentially legal contracts? The answer is no. In fact, the concept of code replacement law has been around for some time, so the main feature of smart contracts is the recognition of code, not legal management.

A contract is simply a legally binding agreement. For a contract to be valid, at least two legal entities must agree to the terms of the contract and there must be a transfer of value between them.

People sending ETH to the DAO were creating tokens that agreed to a set of terms, but that didn’t mean a valid legal contract was created. The key question is whether there were two or more legal entities involved in the contract. We know that The DAO was not a legal entity. We also know that the actions of each token holder sending ETH to the DAO were not dependent on any other token holder, and there was no agreement between token holders. As a result, there was no agreement between token holders and the creators of the DAO code. The slock.it project (specifically using the words “I”, “we”, or “slock.it” in the terms, which is what you would expect to see in a standard terms of service contract).

The DAO was not a legal contract. Token holders had expectations based on the DAO code about their own actions in sending ETH to The DAO. But it was not a legal contract because The DAO was not a legal entity that could adapt to any situation. The DAO was the assembly code of the Ethereum blockchain - nothing more.

So if the creators of The DAO took action against the attacker, could the attacker sue them for breach of contract?

The answer is no. Earlier this week the attackers published an open letter stating that they would take legal action against The DAO code creators, Slock.it, and the Ethereum development team. As we know, there is no contract between The DAO and other token holders (including the attackers). No contract means no breach of contract.

What about the developers and staff of Ethereum? Will there be attackers or others who will sue them?

No. Even if there was an agreement setting out the terms and conditions during the Ethereum presale, those terms did not apply to the Ethereum protocol and network functionality. There was no clause in the ETH presale that indicated who the ETH holders were, and no one could sue over changes to the Ethereum protocol or network.

Ethereum and Bitcoin (and other decentralized and open blockchains) do not rely on any legal contract operations. The most important function of a decentralized and open blockchain is trust consensus, which is very different from the trust system under the legal system.

The legal system enables participants to interact with each other because the legal system has the ability to resolve disputes between participants. If you violate a legal contract, I can sue you to force you to fulfill our agreement or pay me damages.

On the other hand, blockchain transactions do not require legal enforcement, as blockchain provides a statement of facts and is therefore valid. The blockchain itself does not require any legal system to support it.

That said, at this stage, the transactions that can currently be supported on a public blockchain (without a legal structure) are still limited. Sending and receiving value works well, but creating a distributed organization like The DAO is much more difficult.

It is unlikely that developers or employees of a public, open blockchain could be prosecuted for changing the protocol because there is no legal contract between the parties and there are no obligations between them. Even if their actions were malicious (e.g., a 51% attack), there are significant obstacles in establishing a criminal or civil case. This is the same situation for criminal or civil actions against the DAO attacker, as shown below.

Is this a crime? Can token holders bring civil legal action against the attacker?

There is a good case here that may be useful in pursuing criminal and civil legal action against the attacker.

The core obstacle to building a criminal or civil case is “Who actually owns the ETH stolen by the attacker?” Let’s think about how the funds work: Token holders no longer own the ETH they sent to the DAO (because they exchanged ETH for DAO tokens). Once the transaction is confirmed, the ETH exists in the DAO contract, which no one person can possess or control.

There are other questions. Was the ETH stolen with or without consent? The attacker may believe that the recursion of ETH was consented to because the execution code determined it. This argument is difficult to establish, especially considering that The DAO is not a legal entity that can be allowed. This is not inconceivable.

There are specific criminal laws that address this. For example, the Computer Fraud and Abuse Act (CFAA) in the United States addresses unauthorized access to another person's computer. The CFAA has been broadly interpreted to mean that open blockchains do not allow unauthorized access to another person's computer, which is the most reasonable view. Note: For a number of reasons, applying the CFAA to open blockchain transactions is probably a very bad idea.

Even if the attacker could be identified, civil lawsuits under tort law would face significant challenges. As we know, The DAO is not a legal entity and cannot sue anyone. It is also unclear how courts would handle lawsuits brought by token holders who have no ownership rights to ETH.

A court might be able to decide that an attacker is liable under tort law, or it might be able to determine that unjust enrichment is illegal under some other legal doctrine, but for that to happen existing legal doctrine would need to be expanded.

As we all know, the law evolves slowly, and today it is very difficult to successfully bring a criminal or infringement lawsuit against an attacker.

Will financial regulators think about this situation?

As many have pointed out, the crowdsale launched by The DAO was likely launched without the need to register securities under US law. The area of ​​securities law, especially in the US, is very complex. Many other jurisdictions have similar laws regarding collective investments.

For example, one element of the “Howey Test” states that expected profits depend on people other than investors. The fact that The DAO was not a legal entity further confuses the situation. No legal entity could own or control the funds raised, nor could any legal entity manage The DAO’s activities. This could mean that the profitability of the enterprise depended on more than just the efforts of the founders or third parties — since the profitability of the DAO would depend on the votes of token holders on how to profitably handle ETH.

It has to be said that it is entirely possible that the courts could expand the Howey Test to interpret these situations, and I believe you don't want this to be the only obstacle standing between you and the SEC.

Final Thoughts

Clearly, The DAO has failed. It is worth considering how the legal system could have prevented this failure without necessarily bringing down The DAO.

There is obviously little point in trying to find legal solutions to technical problems in the design system.

We need to design smart contracts that work, rather than rely on laws to plug loopholes. We need to make sure there are no loopholes through careful testing and iteration. And build in safeguards to limit the value of money held in any smart contract. All of this will likely be limited and even slow, but if the goal is to create truly trustworthy distributed applications, it should be a marathon, not a sprint.

Obviously, there is no legal opinion in this article. The opinions expressed here are solely those of the author and do not necessarily represent the opinions of Coinbase or other organizations.

Disclosure: I designed some of the DAO tokens during its founding phase and did not review the code before I did so.