Getting your Trinity Audio player ready...
|
In March, hackers breached the Ronin Network, a popular Ethereum compatible blockchain, and successfully stole $625 million worth of Ethereum and USDC tokens from thousands of users.
It’s the same story we’ve heard too many times before: a bad actor steals or otherwise removes access to someone’s store of digital assets, and despite often being able to see exactly where their property ‘sits’ on the blockchain the victims are left with no obvious way to get that property back. At the same time, those in charge of these blockchains throw their hands in the air and lament what a tragedy it is that their users have suffered such loss, and that there is simply nothing that they or anybody else can do to remedy it.
But that doesn’t need to be the case.
At roughly the same time hackers were perpetrating one of the biggest digital asset thefts in history in the Ronin hack, a U.K. High Court was refusing jurisdiction over a ground-breaking legal case which would have paved the way for those victims of digital asset theft to use the courts to regain control of their property.
That case was brought by Dr. Craig Wright via his company Tulip Trading, which lost access to 111,000 Bitcoin back in February of 2020 caused by a hack on Dr. Wright’s home network which destroyed the keys required to access the assets.
Dr. Wright was arguing that contrary to the assumptions of some, not only are there people who have the power to return access to digital assets for people like Dr. Wright, but those people have well-established legal duties which compel them to do so.
The particular duties Dr. Wright was arguing for are fiduciary duties and tortious duties. A fiduciary duty arises when a person has undertaken to act on behalf of others in a way which gives rise to a relationship of trust and confidence. Tortious duties are typically associated with cases of negligence, which requires a plaintiff to prove that the defendant owed them a duty of care in carrying out some acts which might reasonably be foreseen to cause harm.
In that sense, the argument isn’t new at all. Dr. Wright is simply arguing that the duties already recognized at law apply to protocol software engineers of the blockchain. For example, fiduciary duties are already recognized in a wide array of contexts. Financial advisors and the investors relying on their advice, solicitors and their clients, company board members and their shareholders are all relationships which the law deems to give rise to special obligations.
Most importantly (and in contradiction to the arguments made by counsel opposing Dr. Wright’s suit), the idea that software engineers can (and should) take action to remedy the effects of a network breach isn’t new either, despite protestations from certain blockchain engineers that the ‘decentralized’ nature of their blockchains make such a notion untenable.
Take BTC for example: the engineers who run and are in control of the network can highlight and freeze coins that they know have been stolen and return them to the rightful owner. To some this seems like a radical idea, but it shouldn’t. In fact, such a mechanism called the Alert Key was part of the original Bitcoin protocol until it was removed in 2016, and it remains within the power of those in control of these networks to reinstate the same mechanism or a functionally similar one.
It certainly isn’t new to Ethereum, the protocol software engineers of which have already put in place massive changes to the network in response to attacks just like what recently happened to Ronin. In 2016, a project called The DAO (Decentralized Autonomous Organization) was released on the Ethereum blockchain and was intended as a sort of investor-directed venture capital fund. After taking in $150 million from over 11,000 investors over a 28-day funding period, mere months after the funding had completed, a hacker used a network exploit to drain a third of the DAO’s funds into their own wallet.
This posed an existential threat to Ethereum, because the vulnerable DAO contained 15% of all ether. The failure of the DAO would have a drastic detrimental impact on the whole network, impacting whatever businesses have built their product on Ethereum and any individual who have purchased Ether or any Ethereum-derived token.
Those in control of Ethereum such as Vitalik Buterin were faced with the exact same choice available to any blockchain engineer when dealing with a similar malicious event: either do nothing in the name of the immutability of the ledger and say ‘tough luck’ to those who suffered loss, or take action. Ethereum took action: the decision was made, led by Ethereum’s protocol software engineers, to fork the network in order to recover the funds.
That the software developers were able to do this brings the absurdity of calling these operations ‘decentralized’ into sharp relief. Though some attempts were made to poll the wider community on how the problem should be dealt with, these received little engagement. Under 6% of Ethereum holders participated in the voting, and 25% of the votes came from a single Ethereum address. Despite that, the software engineers proceeded with a hard fork anyway. Even in the case of maximum engagement with such a vote, the solutions were developed, proposed and publicized by the core Ethereum developers.
Vitalik Buterin himself has recognized that the ‘decentralization’ of Ethereum is a myth. In 2017, he told an interviewer:
“It is kind of technocratic in some ways, because right now there is a small group of people that really deeply understand all the different ethereum technical considerations—a lot of decisions do tend to get made by a small group. But in the longer term that is definitely something we are looking to democratize.”
In other words, not decentralized.
Ethereum’s response to the latest Ronin hack should answer this question once and for all: in contrast to their rapid action over the DAO hack, nobody in control of Ethereum seems motivated to institute similarly sweeping changes to protect this latest wave of victims, despite already proving that it is within their power to do so.
The same can be said for virtually any public blockchain. As long as the protocol governing a particular network is open to change, and such changes are introduced and implemented by a defined group of software engineers, then there is no decentralization. It would be a trivial matter for a court to issue an order requiring these developers to freeze a particular set of coins and reassign them to their rightful owner—as trivial as it was for Vitalik to fork Ethereum following the DAO hack or for BTC developers to remove the freeze and return function from the original Bitcoin protocol.
The fact that they can take this action and yet feel able to choose not to is a big problem for the digital asset industry, which can only grow if governments and enterprise feel confident that it can grow lawfully. As long as people still mistakenly believe that the law doesn’t apply to digital assets simply because the technology is new, the confidence will never come. It is lawsuits suits like Dr. Wright’s that will establish exactly how current legal protections apply to new technology.
Though the U.K. High Court granted a jurisdictional challenge made by the defendant developers, this is almost certainly not the end of the developer liability question. An appeal by Dr. Wright is inevitable. Even in absence of an appeal and even though the court ruled against Dr. Wright at the jurisdictional stage, the ruling can’t be read as an indication that developers owe no duties to those relying on their blockchains as a matter of law. In fact, Justice Falk expressly left open the door to the potential for duties were the facts slightly different:
“This is not a case where it is alleged that, in making an update to the software, the Defendants acted in their own interests and contrary to the interests of owners, for example in introducing for their own advantage a bug or feature that compromised owners’ security but served their own purposes. I can see that it is conceivable that some form of duty could be engaged in that situation, although whether it would properly be characterised as a fiduciary duty is another matter.”
There’s no rule that means those who are the victim of digital asset theft have no recourse to the only people with the power to remedy their loss. Such an argument is very convenient for the blockchain developers who consider themselves above the law and developers like Vitalik Buterin, who are happy to pick and choose which thefts are worthy of intervention and which are not.
This attitude becomes more untenable every time a thief makes off with hundreds of millions of dollars’ worth of property and the only people with the power to do anything about it—the developers—decide to choose that moment to care about ‘immutability’ and the integrity of the chain. These days are numbered, and suits like Dr. Wright’s show the blueprint to holding these people to their legal obligations—even if it will take some time for the courts to catch up.