How to prosecute a DAO hacker?

Rage Review : As the world's largest project, DAO, was hacked yesterday due to a code vulnerability, resulting in a loss of up to 50 million US dollars. This news undoubtedly caused an uproar among DAO followers and directly led to a drop in the price of Ethereum. However, we are not helpless against these hackers. They need to bear criminal and civil liability for such behavior. The token holders will sue them, but even if the lost Ethereum is recovered, it seems that it cannot eliminate the impact of the whole thing. The reputation of The DAO has been affected, and the price of Ethereum has also plummeted. This major event of DAO may make DAO more perfect.

Translation: Nicole

This morning, my phone was buzzing with notifications. The DAO was hacked! $50 million worth of ether was lost. At least one technical solution has been proposed.

In addition to technical remedies, some people have sought legal remedies to fight against the hackers who invaded DAO.

Can they be held criminally or civilly liable? Can they be prosecuted? If so, how? Who prosecutes them? Here are some thoughts on these questions.

criminal law

State and federal statutes are still being debated, and there are many such statutes, one of which is to start with theft and iteration. Many federal laws can be broadly applied to unauthorized access to computer systems, or access beyond authorization. In addition to facing fines, penalties, and imprisonment, criminal law can set out a full range of remedies for the injured party and provide a penalty for the loss.

Whether law enforcement was aware of this is a separate question. I just want to point out that, yes, they have violated criminal law.

Are there other potential defenses against the hacker? Will they give the ether back? One critic tweeted that returning the ether would be an act of loss mitigation, but it's not a true defense against criminal liability.

Others say the hackers are not responsible because what they did was permitted by the contract. This is an interesting idea. But, in short, a code vulnerability is not the same as consent.

As a defensive measure, this is too weak. Theft is theft, whether on-chain or off-chain.

A loophole in the card code on an ATM does not mean you have the right to withdraw money from the bank that does not belong to you.

Civil Law

Second, do hackers need to be held civilly liable? Should hackers be prosecuted for sabotage or disobedience? Yes, they should.

Their anonymity or pseudo-anonymity was not an issue from the beginning. Whether they can always hide behind the contract address will also be tested soon. However, this is a procedural issue and you don't have to know who or where to sue them.

In the US, nameless defendants can be used in initial complaints (depending on the jurisdiction) and provide a mechanism to begin tracking down and locating the hacker. At the time of prosecution, you have subpoena power.

Who will sue the plaintiffs? Those who suffered losses from the theft can sue on their own behalf. They can also choose a token holder representative to file a class action lawsuit. The DAO or a DAO may not be a plaintiff.

If The DAO sued, that would mean that the DAO had a legal personality and could make decisions off-chain, aka sue (hire a lawyer). Not sure if "The DAO" is the culprit. It's the code, right?

A simpler (although imperfect) approach for plaintiffs is to sue through a recognized representative representing all token holders.

Tort Law

What can be claimed from the trespasser? From the perspective of tort law, exchange comes to mind.

A tort remedy is available when someone takes property that does not belong to him.

One problem is that redemption may not be available for cash or currency: depending on the jurisdiction, the remedy may only be available for intangible assets. (Is ether an intangible asset? This also depends on the jurisdiction).

There are many other tort theories that can be utilized, such as civil theft, fraud, trespass, and implied contract claims.

Did the hacker breach the implied contract, or the duty of fair dealing? The agreed grounds for claim also include unjust enrichment and breach of order. These are just examples, not a very comprehensive analysis.

So what about losses? That’s a bit of a stretch. Token loss is also a measure of damages. Other theories of damages can emerge. For example, imagine that market control is also a case of motivation.

The hacker may have thought that the theft would cause the price of ether to drop, which he could then bet on in the market. If so, disgorgement of ill-gotten gains would also be a remedy.

Bottom line: If you believe hackers are bad guys, legal and equitable remedies such as damages may be a solution.