Code is (still) not law, contrary to new crypto lawsuit claims

Quick Take

  • Shin v. ICON Foundation is new lawsuit filed in San Fransisco Federal Court that alleges the ICON Foundation improperly interfered with Plaintiff’s ownership and possession of ICX tokens.
  • After discovering a code exploit, Plaintiff minted millions of ICON tokens, and they allege this was no different than going into a casino and play a slot machine that pumped out coins based on its programming.
  • If the case goes to trial (or proceeds through motion practice) it could result in precedent about the impact of balky blockchain code and the rights, liabilities and obligations of developers.

Code is not law. It's not even a municipal ordinance. Nonetheless, this misunderstood meme has been the raft on which more than a few ill-conceived crypto schemes have set sail.

The idea (as articulated by crypto meme-makers) is that, if deployed, blockchain code allows any sort of behavior to take place as long as it's allowed by the code.  This is so, the thinking goes, even if it's contrary to the stated intent of its creators or participants; it's the law of the transaction, as opposed to any exogenous person-made law.

Of course, the idea that software exists outside of legal frameworks is idiotic, to use a term of art. And this notion has been put to rest time and time again by regulators and law enforcement. If you break laws using code, you'll be taken to task (and perhaps prison). 

The code isn't law — law is law.  This isn't contrary to what Lessig meant when he coined this phrase, by the way -- but that's a subject for another day).  Anyway, this is well-trodden ground and my point here isn't to stomp that well-trodden earth and write one more post about how blockchain isn't beyond the reach of law enforcement or litigants. Hopefully anyone who has read up to this point gets it.

Still, there is some nuance here to unwind. What happens, say, if a smart contract bug allows someone to mint a bunch of tokens by simply following the deployed code? We saw this happen in the case of the 2016 attack on TheDAO (which you can read about in very thoughtful detail here, in a 2018 law review piece by Shaanan Cohne  and David Hoffman, among other places). That precise issue was, of course, never litigated, but it did result in a network split that left us with Ethereum and Ethereum Classic.

The absence of directly-on-precedent does lead one to wonder how a court would rule. Is someone who exploits a bug in an open-source blockchain protocol simply following the rules of the game, like a person innocently playing a balky slot machine? Or are they like someone who knowingly takes money from a broken ATM, which in most jurisdictions you can't actually do (it's likely theft of fraud if a bank wants to press charges).

This kind of issue is raised in a lawsuit filed by Mark Shin against the ICON Foundation. Shin is represented by Kyle Roche from the Roche Cyrulnik Freedman law firm, which is known (among other things) for having sued Craig Wright on behalf of Ira Kleiman, as well a half dozen or so crypto exchanges earlier this year in putative class actions alleging massive market manipulation. A link to the lawsuit can be found here.

The lawsuit concerns ownership of the ICX token, which is native to the ICON blockchain.

According to the Complaint:

"On August 22, 2020, shortly after ICON released a major software update to the rules governing the ICON network, and after having already earned hundreds of thousands of ICX tokens, Shin inadvertently discovered a bug in the software that allowed him to generate approximately 14 million new ICX tokens. Shin did not hack into any network, or modify any source code in which any software was written, or exceed the authorization that the ICON network affords to all of its users, or break any applicable rules."

This is a very carefully drafted allegation, which appears written to make it clear that what Shin did would not fall within the rubric of the U.S. Computer Fraud and Abuse Act (which criminalizes exceeding authorization on or with a software platform). 

Rather, per the Complaint:

'Shin simply recognized that when he undertook a particular task on the network, the result was the generation of new ICX tokens into his ICX account, or “wallet,” and so he continued to undertake that task and generate ICX tokens. If a slot-machine keeps paying out with every pull of the lever, barring any casino rule to the contrary, the player is entitled to keep pulling the lever. The ICON network had no such rules, either express or implied."

Plaintiff says that whatever the intent behind the software update, other users adopted it and minted an additional six million tokens for themselves.

And here's where Plaintiff says things went off the rails. Rather than patch the code and allow people to keep the tokens they'd earned, the ICON Foundation publicly announced that he was a "malicious attacker".  And — despite the claim that this was a decentralized protocol — the Foundation reached out to crypto exchanges and demanded that they freeze his accounts, which they did.  They then contacted him via Twitter and threatened him with criminal prosecution.

Plaintiff acquired his tokens on Binance, Kraken and Velic and, in the course of doing so, "never agreed to any terms of service or any other contract with ICON."

Here's what appears to have led to Plaintiff acquiring a ton of free crypto:


In other words, Plaintiff saw that if he could "re-delegate" the same tokens over and over again, he would receive an award of new tokens each time — despite not placing additional capital at risk.

Plaintiff analogizes this to a casino, alleging that it was "as if Shin walked into a casino, placed a quarter in a video poker machine, pressed a series of buttons, and won a jackpot. Staying at the machine, Shin continued to put in quarters, press the same buttons, and win another jackpot."

In spite of this and in spite of allegedly and consequently being the owner of 14 million ICX tokens, Kraken and Binance were directed to freeze them and ICON blacklisted his wallets. And, as a result, he is now unable to transfer any of his assets from these exchanges.

There are four counts in the complaint, which was filed in the Northern District of California on October 20. First, Plaintiff asks for a declaratory judgment from the court that the ICX tokens issued on August 22 are his property. Second, there's a claim for "conversion" (which is kinda/sorta a tort claim for theft of property). Third, and somewhat novelly, Plaintiff alleges that the access to and interference with the tokens constitute trespass to chattel (personal property),  Fourth, and finally, the Plaintiff alleges something called Prima Facie Tort, which is the myofascial pain disorder of tort law — basically, it's a catchall cause of action for wrongful conduct.

I'm actually a little bit surprised there's no defamation claim but, hey, I'm just a simple country lawyer.

The Foundation will surely respond that the conduct was more like someone ripping off a malfunctioning ATM or taking money from a broken slot machine (again, you really can't do either of these things). The Plaintiff will respond that he was just following the rules of the game and spent his time and risked his assets to do so, and this is just a ploy by the Foundation to cover up an after-the-fact decision about the purpose of the code.

Frankly, I don't have a clear sense of how this one will turn out. I don't think it'll be decided on motions and it may end up going to trial if it's not settled (it is a case that screams out for early settlement, in my own entirely subjective personal view).  

On the one hand, the actions of the exchanges in calling the guy a thief and getting all of his assets frozen aren't terribly good facts for the Foundation, nor does it jibe with the notion that this is, in fact, a decentralized anything. 

At the same time, jurors might not like a too bad/so sad argument by the Plaintiff, and Defendant will argue that they had to know the code was balky after the first time he did this. They will likely argue that Plaintiff had to know that he was taking advantage of an unintentional bug and that after he did this once, he should have known what he was doing was in excess of the intended purpose or functionality of the code.  

Among other issues at trial might be the intent of the parties and, perhaps, whether, in fact, the Plaintiff knew or should have known that he was exploiting an unintentional bug to the potential detriment of others.  

Anyway, my crystal ball can't predict the future. But the one thing I doubt we will hear if this case goes to trial is the argument that "code is law." It still isn't.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.