What do professional lawyers think about the “DAO” theft case?

Note to readers: The author of this article is a Washington, D.C.-based attorney whose primary practice areas include construction, insurance, and software development (including blockchain and smart contracts). This article represents the author’s personal opinion only and does not constitute any legal advice.

When I woke up in the morning, I was flooded with news about the DAO attack. It was said that more than 60 million US dollars of Ethereum were stolen , and Ethereum founder Vitalik Buterin seemed to have proposed an emergency plan.

Some people expressed support, while others complained. But in addition to technical remedies, some people also asked whether there is an effective legal remedy for this attack?

Should the DAO attackers be held criminally or civilly liable? Can they be prosecuted? If so, how? And who should file the lawsuit? Here are my personal opinions.

criminal responsibility

The most applicable state or national criminal statutes would be those governing this attack.

There are many laws regarding this, such as theft. Federal law criminalizes unauthorized access to another person's computer system or obtaining information beyond the authorized scope. In addition to fines, penalties, and imprisonment, criminal law can also provide victims with a range of remedies, such as legal relief.

Whether this incident falls within the scope of legal jurisdiction is another matter. I just want to point out that the attacker's behavior has violated the criminal law.

So what can the attacker do to exonerate himself? For example, return all the ether? As one netizen said on Twitter, returning the ether is at most a self-incrimination, which does not exempt the attacker from legal prosecution.

Some people also say that attackers are not legally responsible at all because the smart contract "allows" them to do so. This argument is interesting, but the existence of a vulnerability in the code does not mean that someone can exploit this weakness to conduct illegal attacks.

There is nothing the attacker can do to get away with it. Whether it happens on chain or off chain, theft is theft.

To give the simplest example, if you discover a bank card vulnerability, it does not mean that you have the right to obtain property that does not belong to you.

civil liability

So what does civil law say? Can an attacker be sued for damage or infringement of another's property? Of course you can.

It doesn’t matter whether the attacker is anonymous or uses a pseudonym, what matters is that they can be located based on the contract address. But this is just a procedural issue, in principle, the plaintiff does not need to know the defendant’s specific location.

In the United States, as long as the plaintiff files a lawsuit, the court will look for the defendant, and as long as someone files a lawsuit, the court has the right to subpoena you.

So who has the right to sue the attacker? Anyone who has been harmed by the attack can file a lawsuit on their own behalf. DAO token holders can also file a class action lawsuit. But the DAO platform cannot be the plaintiff.

If the DAO platform initiates a lawsuit on behalf of the DAO, it means that the DAO has an independent legal personality and can make independent decisions off-chain, including filing a lawsuit or hiring a lawyer, etc. But this sounds a bit strange, and the legal definition of the DAO is still unclear. After all, the DAO is just code, right?

One of the simplest ways is to elect representatives among DAO token holders to initiate a lawsuit .

Infringement

What crime should the victim sue the attacker for? There are many, one of which is trespass - the illegal seizure of someone else's property .

When someone illegally obtains property that does not belong to them, the victim can apply for tort relief.

However, the relevant legal provisions regarding “illegal seizure of other people’s property” stipulate that such property does not refer to cash or currency, but tangible assets ^[1] . Whether Ethereum is a tangible asset or not depends on how the court decides.

However, there are many other torts that also apply to this attack. For example, civil theft, fraud, illegal trespass, unjust enrichment, etc. Violation of the default contract (DAO smart contract) is also a tort.

So how to calculate the loss? The loss of token value (price drop) is one of them. If it leads to illegal market making, the attacker will also be held responsible for it.

The attackers must have expected that the attack would cause a sharp drop in the price of ether. If this really happened, then recovering the ill-gotten gains would be one of the remedies.