Ethereum founder Vitalik Buterin is pretty much all I've got, sorry.

Photographer: John Phillips

Blockchain Company's Smart Contracts Were Dumb

Matt Levine is a Bloomberg View columnist. He was an editor of Dealbreaker, an investment banker at Goldman Sachs, a mergers and acquisitions lawyer at Wachtell, Lipton, Rosen & Katz and a clerk for the U.S. Court of Appeals for the Third Circuit.
Read More.
a | A

There's a fairly incredible trial going on in London right now. The Libyan Investment Authority is suing Goldman Sachs over some trades that they did together. To oversimplify slightly, the LIA handed Goldman a pile of money and signed some complicated contracts describing the circumstances in which Goldman would have to give LIA money back, and how much. And then everyone closed their eyes and counted to 10, and when they opened their eyes, poof, the money was gone. It was $1.2 billion. Libya is mad, and suing.

The LIA has various arguments in its lawsuit, but none of them amount to "Goldman owes us money under those contracts." The contracts specified a set of functions that took inputs (mostly, the prices of some bank stocks) and produced as outputs a set of dollar amounts that Goldman was supposed to pay Libya. The specifications in the contracts are perfectly clear; there's no dispute about how to read the contracts, or about how the functions work. Everyone agrees that the total dollar amount produced by the functions is zero. 

Instead, Libya's arguments take the form of: We didn't really mean what those contracts said. We didn't understand them. We were bamboozled into signing them, overwhelmed by a "swarm" of Goldman bankers, seduced -- literally -- by the bankers' offerings of internships and aftershaves and prostitutes. We were unsophisticated, we trusted Goldman to look out for our best interests, we thought the functions were something other than what they turned out to be.

Whatever you think about those arguments -- my own views are complicated -- they are definitely the kinds of arguments that are, like, allowed in court. The contracts specifying the functions are important. Ninety-nine-point-whatever percent of the time, derivatives contracts just work: I pay you a premium for a call option, and you promise to pay me if it ends up in the money, and if it does, you do, and if it doesn't, I shrug and walk away. We knew what we were getting into, and we got out of it what we expected. But every so often, people don't know what they're getting into, or what they get out of it isn't what either side reasonably expected. And when that happens, they go to court and argue about it. Usually one side did well out of the deal, and argues that everything's fine and everyone got what they expected; the other side did poorly, and argues that something fundamentally unfair happened and the deal should be altered.

One more story, one of my all-time favorites. The California electric grid operator built a set of rules for generating, distributing and paying for electricity. Those rules were dumb and bad. If you read them carefully and greedily, you could get paid silly amounts of money for generating electricity, not because the electricity was worth that much but because you found a way to exploit the rules. JPMorgan read the rules carefully and greedily, and exploited the rules. It did this openly and honestly, in ways that were ridiculous but explicitly allowed by the rules. The Federal Energy Regulatory Commission fined it $410 million for doing this, and JPMorgan meekly paid up. What JPMorgan did was explicitly allowed by the rules, but that doesn't mean that it was allowed. Just because rules are dumb and you are smart, that doesn't always mean that you get to take advantage of them.

We talked this morning about a hack at the DAO, the Distributed Autonomous Organization that lives on the Ethereum blockchain and that was supposed to take money from investors and invest it in projects voted on by the investors and administered through smart contracts. Instead -- surprise! -- the DAO was hacked, and about $60 million worth of Ether (Ethereum's digital currency) was stolen. Or that is the terminology -- "hacked," "stolen" -- that most people have used, and that I used this morning. But maybe it is wrong? The most interesting thing to read about the DAO hack is this Medium post:

By any usual interpretation (including those commonly used by Slock.it’s team in the past hours) the hacker has stolen money from other users and violated the intent of the DAO.

However, according to the DAO’s own legal contract, there is no such thing as theft and the intent is completely unimportant — the only important and relevant thing are the smart contracts themselves. Consequently, there is no real legal difference between a feature and an exploit. It is all a matter of perspective.

For example, one interpretation is that this unusual recursive splitting function is itself a feature and that a user simply used this feature to take funds into a sub-DAO. In some ways this is no different from what Slock.it attempted to do via its own proposal, except that instead of running it through the voting system it ran it through a splitting smart contract.

From the standpoint of the submitters of the original capital, this may seem an egregious departure from the marketing pitch. But from the standpoint of the DAO, there simply is no difference between the two. And the legal contracts seem to point to the DAO as the canonical version.

That is: The DAO was advertised to users as, well, a Distributed Autonomous Organization that was supposed to take money from investors and put it in projects voted on by the investors and administered through smart contracts. (I mean, it was advertised in much more hyperbolic ways than that -- "a new breed of human organization never before attempted," etc. -- but the gist was a vote-based venture fund. See here for more explanation.) There were websites and forums explaining, in English, for humans, how the DAO would work, what its security features were, etc. (Some of the explaining was done by Slock.it, a blockchain company associated with the DAO.) But there was also this bit of boilerplate:

The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code. Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain.

Or, as DAO's "Principles" page put it last month:

The DAO is borne from immutable, unstoppable, and irrefutable computer code, operated entirely by its members, and fueled using ETH which Creates DAO tokens.

The descriptions didn't matter; only the code did. The descriptions didn't allow for today's hack, but the code did. (By definition! If the code could be hacked, the code allowed for the hack.) Any vulnerabilities in the DAO's code were not flaws in the code; they were flaws in the descriptions -- which were purely for entertainment purposes. The DAO's websites failed to explain to investors that the code allowed a hacker to take $60 million by using a "recursive splitting function." But the recursive splitting function itself is part of the DAO's code, and therefore part of the DAO. Using it isn't a "hack," and using it to take money isn't a "theft"; it is just using the DAO as intended. Where the only measure of intent is what is allowed by the "immutable, unstoppable, and irrefutable" code.

The words "hack" and "theft" make human, normative presumptions about how you're supposed to use the DAO code. But the code doesn't care. The code can't be "hacked." It can only be used; its use has no normative implications. As one person put it on Twitter: "So it's an arbitrage?"

This is of course childish and silly. It isn't how human institutions operate. But it is very much how "smart contract" utopians want future institutions to operate, or how they think they want those institutions to operate. "Immutable, unstoppable, and irrefutable"; free of human bias and stupidity and intervention; a utopia of coldly logical code. Human expectations are irrelevant, except to the extent that they are correctly translated into code. When we last talked about the DAO, I said:

The U.S. legal system has built up a pleasantly redundant system of safeguards so that investors usually get more or less what they expect. If you invest in a U.S. public company, you are in a sense signing up for a certificate of incorporation and bylaws, which are written in lawyerly language. But you also get a prospectus that explains the terms of your investment in relatively (relatively!) plain English. Also the terms of that investment -- how you vote, what duties the company owes you, what rights you have, etc. -- tend to be constrained by federal securities law, state law, stock exchange listing requirements, underwriter due diligence, public policy, custom and tradition. Even if you invest in a company whose bylaws say that the board of directors can sacrifice you to a demon on the first full moon of a leap year, it's unlikely that that term would be enforced. There is only so much leeway to depart from the standard terms.

If you invest your Ether in a smart contract, you'd better be sure that the contract says (and does) what you think it says (and does). The contract is the thing itself, and the only thing that counts; explanations and expectations might be helpful but carry no weight. It is a world of bright lines and sharp edges; you can see why it would appeal to libertarians and techno-utopians, but it might be a bit unforgiving for a wider range of investors.

That was exactly a month ago. The bright lines and sharp edges have now sliced the DAO's techno-utopians, or at least their wallets, apart.  

The DAO's leaders, and the community at the Ethereum blockchain that created it, are now trying to fix the hack by freezing the hacker's funds and discussing what to do next. But it's not so simple:

I do not know quite how a court would decide, but it is quite possible that in the eyes of the court, the hacker is himself simply a legitimate operator operating in the bounds of the smart contract and it is those who are attempting to change the smart contract post facto that are violating the law.

Indeed, it could even be the case that the “hacker” in this case could sue Slock.it for damages and the return of funds if the smart contracts were altered to “protect investors,” or whatever else our new regulatory system is attempting to do.

Good lord I hope that happens. There isn't much reason to think that a court, in a regular human jurisdiction, staffed by regular human judges, would see the world the way the DAO's disclaimers do. Just slapping a disclaimer on the DAO's website saying that no advertisements or expectations can "supercede or modify the express terms of The DAO’s code set forth on the blockchain" doesn't make it so. If Goldman Sachs had slapped a disclaimer on its contracts with the LIA saying that it had entered into the contracts at arm's length and after taking appropriate advice, and that nothing said or understood outside of the contracts could supercede or modify the express terms of the contracts, that wouldn't stop a court from hearing the LIA's case. It might help Goldman's argument, but the court is interested in the facts in the world, not just what is said in the contracts. If the DAOers find their hacker, or "hacker," and bring him to court, I am not sure many courts would be too sympathetic to an argument that his hack was just part of the system. (Any more than the FERC was sympathetic to JPMorgan's argument that its electricity trades were just part of the system.) And while cryptocurrency/blockchain/smart-contract fundamentalists have a tendency to think that they can place themselves outside of national legal systems just by saying that things happen "on the blockchain," the national legal systems have a tendency to disagree

The most fascinating thing about the DAO hack may be the way it exposes these tensions. To true believers in smart contracts, there is no problem here. The system is fine; the failures -- writing bad code and not anticipating this attack -- were trivial, mere human error. Next time, write better smart contracts and you'll be fine. To those true believers, changing the code after the fact -- even to conform it to almost-everyone's reasonable expectations about how the DAO would work -- would be a betrayal of the smart-contract ideal.  

On the other hand, to the humans who read the English descriptions of the DAO and invested their money based on their reasonable expectations, their losses probably do seem like a problem. You can't really base the financial system of the future on computers rather than humans, on trusting to immutable code no matter what happens. Financial systems are supposed to work for humans. If the code rips off the humans, something has gone wrong.

  1. One way in which this oversimplifies: Libya maybe didn't sign the contracts? See paragraphs 33-34 of the LIA's Particulars of Claim: According to the LIA, it never actually signed the trade confirmations. Of course Libya did wire Goldman the money, and the deals went along exactly as though it had signed. A general tip: If you don't want to do a trade, it is probably better to sign the contract and not wire the money than it is to wire the money and not sign the contract. (Not legal advice, of course, and neither is ideal.)

    Anyway the Particulars of Claim are in general a good way to get a sense of the trades and the background. The actual trades themselves were dressed up a bit, and are described in Schedule 1 here, but you lose nothing by thinking that they were just three-year at-the-money call options on a handful of stocks, mostly bank stocks.

  2. And biased, and not really very important here. But to summarize:

    1. I totally think that Goldman viewed the LIA as a rich and unsophisticated client that perhaps was there for the fleecing, and took unseemly advantage.
    2. I mostly think that Libya is overstating the complications of these contracts, and is not right that their complexity or Goldman's pushiness is what caused LIA to lose all the money. What caused LIA to lose all the money is wanting to make leveraged bets on bank stocks in early 2008. Come on! That didn't work out well for anyone.
    3. A good general rule is to stay away from stock options, though.
    4. I sort of think that Goldman's profits here, though large, were not utterly outside the realm of, like, "allowable" profits.
    5. I spent four years at Goldman Sachs selling equity derivatives not entirely unlike these, so I am super biased!
  3. By the way, can we talk, for ever and ever and ever, about the lead anecdote in this Nathaniel Popper DAO story from last month? It features a "31-year-old French socialist" named Olivier Stern who "recently invested a third of his life savings — 10,000 euros, about $11,000" in the DAO. 

    “I think it is the beginning of something that could, in a way, make history,” said Mr. Stern, who previously lost a small sum of money he invested in Bitcoin when a major Bitcoin exchange — Mt. Gox — went bust. “Maybe it can fail, maybe it can succeed, but for sure it is an idea that is very interesting.”

    He's two for two on big cryptocurrency busts!

  4. And it probably did! Clauses like this, reciting that the contract represents the entire agreement between the parties and that everyone entered it clear-eyed and well-advised, are pretty standard.

  5. Or, as I put it on Twitter: "The best thing about the DAO may be that people are, like, proud to be hacked. 'It proves the system worked!'"

  6. Or, as Kevin Kwok put it on Twitter, it "does appear that trying to roll back this would be bigger breaking of the trust than the attack itself."

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

To contact the author of this story:
Matt Levine at mlevine51@bloomberg.net

To contact the editor responsible for this story:
James Greiff at jgreiff@bloomberg.net