He did not steal anything. He beat the fund (Indexed Finance) at their own game.
He has not stolen anybody's password, has not modified DeFI code - simply executed a set of financial transactions according to the rules (expressed as DeFI smart contracts) and profited from it.
Indexed Finance is an unlicensed investment firm. The promoters knew the risk ( decentralized finance) and now they want to blame someone who outsmarted them at their own game.
>If you believe in cash, does that mean you can't run to the courts if someone steals your cash?
No, because the point of cash isn't to circumvent government control of the financial system. If you build a whole system just to decentralize financial control and avoid government influence but then appeal to the government as soon as you don't like what happens, you're doing something wrong.
> Are you allowed to take money from the other tables? Clearly the contract says you can, but surely that can't be what they intended?
If their entire business model is based on giving a service that allows you to store your money in safety without any government dependency, while in reality they allow everyone else to take your money, then they deserve whatever happens to them.
The problem here is that those crypto contracts aren't designed to be security. They are intended to be contracts.
It's like opening a bank account, and the contract says "You can only access your own money in the vault. Everything you can access is yours to use as you see fit." On your first visit the manager brings you into a vault with hundreds of cash-laden tables. He shows you to an empty table, and says "Here's your table. Enjoy!".
Are you allowed to take money from the other tables? Clearly the contract says you can, but surely that can't be what they intended? Is it theft to "break their security" by walking over to another table, or is it just a hidden perk of the contract you signed?
You'll need a stronger defense than that in court because courts absolutely create and deal in gray areas where technical fine lines exist.
What you need to argue is that the the smart contracts were valid contracts that the creators intended to and had opportunity to understand and that their creation was their act of negotiation of a position. It isn't really a stretch, but with amounts like this probably more diligence would have been due than that. Calling it theft is ridiculous on the other hand.
The point of bitcoin, in words of their creator is to “allow online payments to be sent directly from one party to another without going through a
financial institution.” That’s it.
>And when people leave their home unlocked the thieves should get to keep their stuff.
That's not what happened here. What happened is that the crypto company said, "Follow this contract," and their customer followed the contract and took their money, and then the crypto company was like, "But not like that!"
Ostensibly, the whole point of cryptocurrencies is to decentralize financial control and not depend on governments for that service. If you then depend on governments the second you don't like what happens, there's no point to cryptocurrencies.
If you can't distinguish "not what I intended" from "not what I wanted" then there is probably no reasoning with you. Luckily for the rest of us, making this distinction is a pre-requisite for becoming a judge or lawyer.
I really didn't intend that as an insult! I just find it very easy to distinguish between a case where someone followed reasonable rules and got an outcome they didn't like, versus a case where someone found absurd rules - clearly not intended by anyone - and exploited them for an undeserved gain.
If you see a case where someone exploits a badly-coded computer program to take a hundred million dollars from someone, refuses to return any of it (even when offered several million dollars for their trouble), refuses to co-operate with the judges and the rest of civilised society, and just see "waa waa baby doesn't like his medicine" then I don't see how to actually reason with you. That's just a value difference, not really an insult.
>I just find it very easy to distinguish between a case where someone followed reasonable rules and got an outcome they didn't like, versus a case where someone found absurd rules - clearly not intended by anyone - and exploited them for an undeserved gain
I think you overestimate how easy it is to distinguish between these two. A reasonable common example is people like Bernard Marantelli exploiting lotteries. The lottery does not intend for people to play as Marantelli does. You can (and people do) argue that he's stealing money, but should he go to jail for playing the lottery in a way "not intended by anyone"? I don't think so.
It's the same with card counters at a casino. The casino can throw card counters out because they can decide who plays at their establishment, but it would be unreasonable to jail card counters for playing blackjack in a way casinos don't intend.
>If you see a case where someone exploits a badly-coded computer program to take a hundred million dollars from someone
This phrasing removes relevant context to the point where it no longer represents what actually happened.
>refuses to return any of it (...)
I did not comment on any of this at all.
>I don't see how to actually reason with you
This is dismissive and denies my ability to be convinced by reasonable arguments. It is insulting, even if it's not intended that way.
I think both those cases are easy to decide, and are legitimate play. Even if they were not legitimate, I think the remedy is simple -- not jail, but at worst return the money that was taken. In this case, even if deciding the merit of the case is hard, there was a transparently reasonable remedy (return 90% of the funds, continue with your life) which Medjedovic rejected. More than just rejecting the offer, he then went on to launder the tokens through a mixer, fled the country, and has refused to put the funds in escrow while the case is decided in court. None of this is reasonable, in my opinion, and I am 100% ok with the legal system forcing him to comply.
> This phrasing removes relevant context to the point where it no longer represents what actually happened.
I don't think it does, but you don't explain why, so there is not much to argue. It is hard to get an objective description of what happened, but as far as I can tell, the liquidity pools operated by Indexed Finance are governed by a smart contract, the smart contract contained a mistake, and by exploiting that mistake, Medjedovic was able to drain them completely.
Can you explain to me in simple english how that is using the contract as intended? Note that "it's what the smart contract said" is not sufficient, for the same reason that "the web server allowed me to make that request" is not a defence against a charge of computer hacking. What the smart contract says is actually almost irrelevant. What is relevant is what it was intended to do.
Incidentally, why should I be rooting for this guy? It seems like literally the only argument in favour of what he did here is "everything that is possible is fair". His extraction of money is purely parasitic, and aside from merely identifying the bug, he hasn't done any useful work at all. I would grant that this applies to the lottery and card counting examples too. But why should I care that he's having his money taken away?
Many people disagree with you and describe what these people do as theft, so it's not as easy as you think.
>which Medjedovic rejected
I made no points at all about what he did afterward. This is all irrelevant to my point.
>I don't think it does, but you don't explain why
I did explain why further up in the thread. It's not just a badly coded computer program; it's a badly coded computer program that acts as a contract intended to circumvent government control of money. That's the context.
People agree to adhere to the smart contract instead of putting their money into a financial institution that uses contracts backed by laws enforced by governments. This guy adhered to the smart contract, and when the crypto company didn't like the outcome, they decided that none of the crypto stuff mattered and that the laws enforced by governments mattered after all.
But this makes cryptocurrencies entirely pointless. If you can use legal means to circumvent undesired smart contract outcomes, then you can just do that in the first place and not have the smart contract.
>Can you explain to me in simple english how that is using the contract as intended?
Yes, of course. Smart contracts are self-executing contracts. The agreement you make is written in the code of the contract. That is the intention behind a smart contract. It makes no sense to say that you did not adhere to the contract if it allowed you to do something. So by definition, anything you do that the contract enables you to do is using the contract as intended.
>Note that "it's what the smart contract said" is not sufficient, for the same reason that "the web server allowed me to make that request" is not a defence against a charge of computer hacking
Again, this argument ignores the context of smart contracts. Web servers don't claim that their code is a contract.
>why should I be rooting for this guy
It doesn't matter. I'm not rooting for this guy. I'm not arguing emotionally in favor of some guy who did something. In fact, I think he's a shithead.
> It makes no sense to say that you did not adhere to the contract if it allowed you to do something.
I think this is the point where I really disagree with you. I don't see how this is different for smart contracts, as opposed to, say legal contracts written in english. It is not true in general that just because a contract says something, that those exact terms are enforced. There is a whole body of law around what terms are enforceable, what to do in cases of mistakes, and so on.
I am now really unclear on what your position is. I thought originally that you were in favour of smart contracts, and that it was somehow unfair or unethical for e.g. a court to rule whether a smart contract was intended to do something different than what it did. So I am trying to understand why you think it is unethical. In this case I think it is unethical to obey the smart contract, and that what this kid did is unethical and should be illegal. Are you saying what he did is wrong, but he should be allowed to do it anyway? If so, why?
>I don't see how this is different for smart contracts, as opposed to, say legal contracts written in english
It's different because the whole purpose of smart contracts is to circumvent governmental power structures. Otherwise, people would use regular contracts.
Technologically, it's much easier to set up a payment system using a centralized database in a specific jurisdiction and have people sign normal contracts to use the system. People create cryptocurrency systems to avoid that. They put much effort into creating payment systems independent of existing power structures. If this system does not work without backup from the legal system and governmental power, then all that effort is pointless.
>I thought originally that you were in favour of smart contracts
I think they're interesting.
>Are you saying what he did is wrong, but he should be allowed to do it anyway?
Yes.
>If so, why?
Using existing governmental power structures to punish people who adhere to smart contracts in ways some system members don't like invalidates the whole system. If cryptosystems don't work purely technologically without judicial support, they don't work, period.
I think you're letting the perfect be the enemy of the good. It seems like an obvious advantage to have systems that decide the outcome automatically and correctly 99% of the time, despite requiring occasional corrections from outside. That's not the same as a regular contract, so it doesn't follow people would always either choose smart contracts or traditional ones.
What you're hoping for is, taken literally, impossible. Smart contracts can't protect people from fraud, or coercion. Since the law does protect them from these things, smart contracts cannot be totally isolated from the legal system (even if everyone wanted this, which they don't).
> Using existing governmental power structures to punish people who adhere to smart contracts in ways some system members don't like
Fine, but what about in ways that the rest of society don't like?
The entire point of a home is not to escape traditional finance. It's by design not compatible with a simple "thief breaks into house" comparison, otherwise the entire enterprise is a scam and they should be criminally prosecuted for fraud the second they ask for legal dispute resolution on transactions that happened on ledger.
> He did not steal anything. He beat the fund (Indexed Finance) at their own game.
As popular as this idea is online, it doesn’t work that way in the courts.
Intent matters in issues of the law. The “finders keepers” rules don’t apply in legal matters in the real world.
If someone logs into their bank and notices that changing the account number in the URL lets them withdraw from other people’s accounts, no court is going to shrug it off and say that it’s the bank’s fault for not being more secure. Likewise, finding a vulnerability in a smart contract doesn’t automatically give someone the right to any funds they collect from exploiting it.
We all know the “code is law” arguments about smart contracts are just marketing bluster. The lawyers do, too.
The big difference is that those are centralized systems owned by corporations, and accessing them in a way which you're not supposed to, such as by changing a bank account number or exploiting a zero day, is a crime.
With DeFi it's different; the code is public and decentralized. There was no unauthorized access to anything here. From my reading of what was done, it was essentially taking advantage of the poor trading strategy of Indexed Finance.
I'm not going to pretend to be a lawyer, but I don't see a lot of parallels between this and e.g. using SQL injection to obtain unauthorized access to a system.
The intent of the whole underlying system is that the intent of all the parties be described by code of the smart contracts. Which are intended to be composable, intended to be used in unanticipated ways, and intended to operate independent of any human oversight. The system is also intended to avoid all ambiguity by enforcing the contracts exactly as described by the code... and to provide certainty of transactions and prevent them from being undone after the fact.
Everybody involved knows all of that, and claims it as a positive feature of the system. At least until they find out that it's actually hard to write bug-free code.
There may indeed not be a legal "meeting of minds" (although there very well also may)... but from an ethical point of view, everybody involved knowingly signed up for exactly that kind of risk. And honestly it would be good public policy if the law held them to it. Otherwise you get people trying to opt out of the regular legal system up until it's inconvenient.
There'd be more of a case if he'd exploited the underlying EVM implementation. But he didn't. He just relied on the "letter" of a contract, in an environment that everybody had sought out because of unambiguous to-the-letter enforcement.
Is that how it works legally? If you hack into computers using a zero day, did you also just access the computer according to the way it was programmed? Just because you can do it technically doesn’t mean it’s not fraud/something else.
If that's not how it works, where's the line for what is fraud and what is not? Once you move away from the "code is law" principle, companies have the perverse incentive to define fraud as "any transaction that results in negative PnL for me", which is exactly what happened here.
I am well aware that "code is law" has no weight in actual law. The point I tried to raise was, given the following sequence of events:
1. You deploy a smart contract to the ethereum blockchain
2. I interact with your smart contract in some manner
how do we define whether the manner of interaction in step 2 is fradulent or not?
"Code is law" is one interpretation by crypto enthusiasts to define under what conditions interacting with the blockchain is fraud; in their definition, it's never fradulent.
Let's assume "code is law" is nonsense, as many comments here say. Then, under what conditions do we define interacting with the blockchain as fradulent? What is fraud and what is not fraud?
Edit: In the blockchain we can even formalize this. The ethereum blockchain at block K has a certain state S_K. I submit a certain transaction/set of instructions T to the blockchain which is mined as block K+1. How do we define a function isIllegal(S_K, T)? (Assuming block K+1 contains EVM instructions from my transaction T only)
You’re never going to find a binary function that tells you if something is legal or not, in the end it’s up to a human judge to decide. But imagine setting up a search engine and I enter “ Robert'); DROP TABLE INDEX; --” as a search term. Would you say that’s a crime? That’s a perfectly fine thing to search for, right?
> You’re never going to find a binary function that tells you if something is legal or not, in the end it’s up to a human judge to decide.
... but the whole point of cryptocurrency, or at least of smart contracts and "DeFi", is to reject that and try to build a parallel system. That's presumably based on a belief that you can write code that behaves the way you intend, regardless of whether you really can do that or not.
So perhaps the judge should decide "Well, you signed up for that when you tried to opt out of having human judgement govern your deals. Have a nice day.".
And in fact perhaps there should be formal statutory law that makes it clear that's what the judge is supposed to decide in any case that isn't itself "borderline" somehow. Which the case at hand shouldn't be.
If I put up a sign „trespassers will be enslaved“ on my property and then force people who trespass to work for me, would that be fine because they knew what they were getting into? You can’t just create your own justice system which contradicts the real one by making contracts.
Alright, please go ahead and define under what legal pretext this guy's behavior might be illegal.
There are other cases where interacting the blockchain is illegal in a very clear manner. Example: if I know an Iranian or North Korean entity has the keys to an Ethereum wallet, and if I send USDT to that wallet as a Western citizen, that is very illegal due to sanctions.
Imagine I write a contract and empower an AI to execute it. I put $10,000 in a bank account and write, "I'd like a nice car."
I do this of my own free will, at my own hazard. I know I'm playing this game. I have intentionally elected to use a system that will execute without any further intervention or oversight on my part. Verbally, I state that I am confident enough in the writing of my instruction that I feel secure in whatever outcome it may bring.
The system automatically executes and someone has sold me a very nice remote control car.
Isn’t, in the US system, the definition of fraud built up through a combination of legislation and case law from previous ‘grey area’ cases? I think most laws tend to have some balance between what is easy to define/understand and what is desirable to allow/disallow.
What does one have to do with the other? Fraud is "intentional deception to gain an unfair or illegal advantage, often resulting in financial or legal harm" what does that have to do with code? What could code even do about fraud?
The company and its customers knew what they were getting into; to get protections from the law and guarantees, financial institutions need to get licensed and comply with all the rules, regulations and law. Of course, this includes providing transaction data to the relevant parties to help them detect tax evasion and money laundering.
> to get protections from the law and guarantees, financial institutions need to get licensed and comply with all the rules, regulations and law.
That’s not how the law works.
If someone breaks the law or doesn’t comply with regulations, that’s a separate issue. It doesn’t entitle a third party to steal their funds.
If you were to rob a drug dealer, you couldn’t argue that they weren’t complying with the law and therefore you were free to take it. You would both have broken laws.
If you write a contract and give it to a lawyer with the instruction, "Anyone who satisfies this contract gets this money." And someone satisfies the contract to the lawyer's -but not your- satisfaction, and the lawyer sends the money, did the third party steal from you?
Indexed Finance's mistake was not being Vitalik Buterin and then putting on a sad face and ask for the shitcoin to fork to a version where they didn't screw up.
But wont somebody think of the Incompetence Finance Inc. - we cant have fraudsters defrauded, with legal means. The upper caste taketh the lower giveth that is tardition since the dawn of time.
A masked man creeps through the shadows of a sleeping town.
He looks both ways, then uses a knife to unlatch a door from the outside. He slips into near pitch blackness. He moves confidently in the darkness - he's worked for this bank before, checking on their security from theft.
Out comes his lock picking tools - the bank president's office door opens with a quick rake. Cheap lock.
Inside, with no windows to betray him, he lights a candle. There in the corner stands the safe. He knows it inside and out, and has been practicing. Five minutes later, the lock is picked, and he loads up the gold, cash, and bonds inside.
He puts the candle out, slips back outside, and returns to his room at the lodging house, climbing in through the window.
The next morning, with the discovery of missing gold, the town looks like someone kicked over a fire ants nest. It only takes 30 minutes before people start wondering about "bank security expert" who had just been in the bank every day.
A crowd heads over the boarding house, growing in size as it goes.
"Did you steal our money?", they ask?
"ABSOLUTELY NOT," he replies, "I merely used my immense mental powers to out hink several flawed physical security measures, breaking no laws of physics, in such a way that the gold, cash, and bonds previously belong to you are now in my possession, and now belong to me. No theft has taken place, only the movement of certain levers, of which anyone who knew how could move, and the movement of afterwords of certain goods."
"So you stole our money!!", the town shouted.
"No, no, I just interacted with the universe according to its very own publicly available rules. No theft has occurred!"
An old cowhand, covering him with double barrel, spoke up, "Walll, guess he's right. We deserved to lose all that money. He did nothing wrong at all."
Yes, running transactions for asymmetric benefit allowed by code on a platform underpinned by a technology whose proponents espouse "code is law" is at all comparable to a man picking a lock on a bank safe. Very astute.
In this case the only person espousing the idea of "code is law" is the hacker. Neither the blockchain's builders, nor the hacked protocol, nor the users are saying that.
"code is law" is a meme that primarily lives on hacker news. Only a tiny fraction of crypto people believe it or say it.
> A masked man creeps through the shadows of a sleeping town.
> He looks both ways, then
... walks into a casino, realizes there's a flaw in how they shuffle and deal cards, and then makes a shit ton of money exploiting this weakness.
After losing a shit ton of money because they didn't plan for someone to play the game in an unexpected way, the owners of the casino demanded the money back.
"Did you steal our money?", they ask?
"ABSOLUTELY NOT," he replies, "I didn't get any non-public information, I didn't manipulate the deck, and you have yet to point to a single hand that was not played entirely within the stated rules of the game. You're just mad because I noticed that you fucked up and bet accordingly."
So which one is it? Code is contract and he should get to keep the money. Or crypto is governed by laws outside of crypto and so he violated the “spirit” of the code and hence is a criminal?
It seems like right now the crypto industry makes the decision to their convenience on a daily basis.
My personal belief is that this was not fraud and "Code is Law" works. Yet, this guy is a perfect example of how intelligence and wisdom are not the same. He was clearly smart and dedicated enough to pull off this sort of trade successfully multiple times in a row, and probably all he had to do to get away with it was keeping his mouth shut. Or at the very least not get convicted by default on contempt of court charges by ignoring a court summons.
Agree, but the wisdom here is in recognising that once you made $65m in seconds at someone else's expense they will try to recoup that amount by any means necessary.
One universal law is that if you steal from people with more money than you, you're screwed. And the more money they have, the worse off you are.
But on a serious note, whenever you read about some people that have either managed to outright steal crypto, or find some vulnerability which hasn't been legality tested...and they just pack their bags, hoping to live life free, forever after. It just seems so naive, too naive with how smart these individuals otherwise tend to be.
I think it is fair to say that once you'll cross a threshold, could be a million. could be 10 million. could be 50 million. All depends on who you've taken it from, you'll realistically be hunted for life.
The people that do get away with these things, are state sponsored operators - but they don't walk away with tens of millions in loot, either.
EDIT: Reading the article, this guy sounds like a real piece of work.
It reminds me of the Sam Bankman-fried case, but it also quite different. SBF thought the abstractions would protect him from the law when he clearly was misleading investors and using code to abstract away his fraud. However, in this case, the code/fraud was presented and used as intended. While I believe SBF was innocent of defrauding his early investors who were foolish to trust such a system, he was guilty for other reasons.
Andean Medjedovic's case shouldn't have even made it to court and he had no obligation to leave his crypto or cashed out legal tender with some "custodian" and spend the next several years of his life as a beta tester for establishing case law. This wasn't just "code is law," more accurately, "under the stipulations of the contract, code is law."
Based on this article, it doesn't sound like he did anything illegal (initially). He saw an opportunity and took advantage of it not unlike high frequency trading in the late 90s/early 2000s. Decentralized markets operate in a space that's inherently risky -- if they don't want to get exploited, hire better engineers or get out of the game. Begging the government for help when you got bested isn't how decentralization works.
The entire space of smart contracts falls within the intended functionality of the systems that implement them, which make this particular use of them conceptually unlike things like buffer overflows.
Calling it a "hack" or an "attack" as this article does (while strawmanning the opposite case) is a deliberate attempt to muddy the waters, and is a failure of journalism.
My favorite is one of the text files on the attacker's computer:
A file labeled "Decisions and Mistakes," in which he wrote, "Going On the run / Yes / Chance of getting caught<Payoff for not getting caught / (NA) / Risk is typically underpriced in modern world.
He should have accepted their offer of 10% as a bug bounty. Certainly crypto folk love to act like unregulated markets but this smells like market manipulation to my armchair education and even if the market tries to play both ways, the courts won't. I do hope that the Ontario court fights the extradition, because the American laws leveled at him seem bogus by Canadian standards (wire fraud, extortion and money laundering) but that tort case might be legit.
How this works in traditional finance is that the big funds would screw the small guy that beats them (especially if they're from a foreign country). They claim that they use unfair or illegal practices, but the reality is that they're not that different to their own.
Ultimately the rules are written by people who look legitimate, and/or those who capture regulators.
Wait, I thought cryptocurrencies aren't securities? Why are our tax dollars being spent investigating this? If they're not securities (like coinbase etc would like us to believe), then he didn't do anything wrong and there are no other rules - code is law. If they are securities, then why are there so many illegal exchanges operating in plain sight?
Once again, crypto folks are all about decentralization until someone outsmarts them, then they go crying to daddy government to bail them out.
You can't "steal" crypto; it's all just a scam that operates outside of the law.
I mean, sure, we can use the language of theft and crime figuratively, just like when we talk about animals. For instance, "the wolf stole a chicken from the coop".
"Code is Law" is a profoundly immature idea, and I am surprised anyone other than children take it seriously. The law is not, and never has been, something that is read literally and taken at face value. This is the entire reason that judges and lawyers exist.
Saying "The code let me do it, so it should be legal" is a bit like if I leave a "free to a good home" sign on a plant pot outside my home, and it leans on my car. It does not mean you are permitted to take my car, no matter how "obvious" it seems to you that it should.
What's actually confusing in the analogy? Are you actually confused or just pretending? The point is that just because a sign says something under a literal reading, it doesn't mean that it's what was intended, or what's binding. If there's a piece of paper on my car saying "free to a good home", I probably didn't intend that you can take my car (or my house, or whatever). It's not very different to the fact that a 0-day exploit on your bank's web server does not entitle the thief to your money.
He did not steal anything. He beat the fund (Indexed Finance) at their own game.
He has not stolen anybody's password, has not modified DeFI code - simply executed a set of financial transactions according to the rules (expressed as DeFI smart contracts) and profited from it.
Indexed Finance is an unlicensed investment firm. The promoters knew the risk ( decentralized finance) and now they want to blame someone who outsmarted them at their own game.
This. If you believe in cryptocurrencies, you can't run to the courts when people use them as designed, even if they didn't use them as intended.
If you end up using the legal system to remediate undesired transactions, what's the point of cryptocurrencies in the first place?
> what's the point of cryptocurrencies in the first place?
So far, to execute illegal transactions and using the lack of regulations to exploit the financially illiterate.
> If you believe in cryptocurrencies, you can't run to the courts when people use them as designed, even if they didn't use them as intended.
If you believe in cash, does that mean you can't run to the courts if someone steals your cash?
If your security proves insufficient to prevent a theft, that doesn't mean the theft was legal! It just means your security was insufficient.
That security can be enforced by mathematics instead of courts is definitely a benefit of cryptocurrency, but when it goes wrong courts still matter.
>If you believe in cash, does that mean you can't run to the courts if someone steals your cash?
No, because the point of cash isn't to circumvent government control of the financial system. If you build a whole system just to decentralize financial control and avoid government influence but then appeal to the government as soon as you don't like what happens, you're doing something wrong.
@crote
> Are you allowed to take money from the other tables? Clearly the contract says you can, but surely that can't be what they intended?
If their entire business model is based on giving a service that allows you to store your money in safety without any government dependency, while in reality they allow everyone else to take your money, then they deserve whatever happens to them.
The problem here is that those crypto contracts aren't designed to be security. They are intended to be contracts.
It's like opening a bank account, and the contract says "You can only access your own money in the vault. Everything you can access is yours to use as you see fit." On your first visit the manager brings you into a vault with hundreds of cash-laden tables. He shows you to an empty table, and says "Here's your table. Enjoy!".
Are you allowed to take money from the other tables? Clearly the contract says you can, but surely that can't be what they intended? Is it theft to "break their security" by walking over to another table, or is it just a hidden perk of the contract you signed?
You'll need a stronger defense than that in court because courts absolutely create and deal in gray areas where technical fine lines exist.
What you need to argue is that the the smart contracts were valid contracts that the creators intended to and had opportunity to understand and that their creation was their act of negotiation of a position. It isn't really a stretch, but with amounts like this probably more diligence would have been due than that. Calling it theft is ridiculous on the other hand.
>you can't run to the courts when people use them as designed, even if they didn't use them as intended.
I doubt that will hold up in court. The exact thing could be said about computer networks and hackers exploiting them.
The entire idea of crypto is "I wasn't supposed to be the one holding the bag!"
The point of bitcoin, in words of their creator is to “allow online payments to be sent directly from one party to another without going through a financial institution.” That’s it.
A wanting of having cake, but a desire to eat it too.
> what's the point of cryptocurrencies in the first place?
I think you’re answering your own question here
> what's the point of cryptocurrencies in the first place?
Not to be that guy but it seems like the point of cryptocurrencies is to scam vulnerable people...
> If you believe in cryptocurrencies, you can't run to the courts when people use them as designed, even if they didn't use them as intended.
Yes, indeed. And when people leave their home unlocked the thieves should get to keep their stuff. What kind of savagery is this?
> If you end up using the legal system to remediate undesired transactions, what's the point of cryptocurrencies in the first place?
Great question, we have been waiting for answers for nearly a decade now...
>And when people leave their home unlocked the thieves should get to keep their stuff.
That's not what happened here. What happened is that the crypto company said, "Follow this contract," and their customer followed the contract and took their money, and then the crypto company was like, "But not like that!"
Ostensibly, the whole point of cryptocurrencies is to decentralize financial control and not depend on governments for that service. If you then depend on governments the second you don't like what happens, there's no point to cryptocurrencies.
If you can't distinguish "not what I intended" from "not what I wanted" then there is probably no reasoning with you. Luckily for the rest of us, making this distinction is a pre-requisite for becoming a judge or lawyer.
>Luckily for the rest of us, making this distinction is a pre-requisite for becoming a judge or lawyer.
I have to admit, that's pretty funny. But I will point out that you did not make an argument in support of your position; you merely insulted me.
I really didn't intend that as an insult! I just find it very easy to distinguish between a case where someone followed reasonable rules and got an outcome they didn't like, versus a case where someone found absurd rules - clearly not intended by anyone - and exploited them for an undeserved gain.
If you see a case where someone exploits a badly-coded computer program to take a hundred million dollars from someone, refuses to return any of it (even when offered several million dollars for their trouble), refuses to co-operate with the judges and the rest of civilised society, and just see "waa waa baby doesn't like his medicine" then I don't see how to actually reason with you. That's just a value difference, not really an insult.
>I just find it very easy to distinguish between a case where someone followed reasonable rules and got an outcome they didn't like, versus a case where someone found absurd rules - clearly not intended by anyone - and exploited them for an undeserved gain
I think you overestimate how easy it is to distinguish between these two. A reasonable common example is people like Bernard Marantelli exploiting lotteries. The lottery does not intend for people to play as Marantelli does. You can (and people do) argue that he's stealing money, but should he go to jail for playing the lottery in a way "not intended by anyone"? I don't think so.
It's the same with card counters at a casino. The casino can throw card counters out because they can decide who plays at their establishment, but it would be unreasonable to jail card counters for playing blackjack in a way casinos don't intend.
>If you see a case where someone exploits a badly-coded computer program to take a hundred million dollars from someone
This phrasing removes relevant context to the point where it no longer represents what actually happened.
>refuses to return any of it (...)
I did not comment on any of this at all.
>I don't see how to actually reason with you
This is dismissive and denies my ability to be convinced by reasonable arguments. It is insulting, even if it's not intended that way.
I think both those cases are easy to decide, and are legitimate play. Even if they were not legitimate, I think the remedy is simple -- not jail, but at worst return the money that was taken. In this case, even if deciding the merit of the case is hard, there was a transparently reasonable remedy (return 90% of the funds, continue with your life) which Medjedovic rejected. More than just rejecting the offer, he then went on to launder the tokens through a mixer, fled the country, and has refused to put the funds in escrow while the case is decided in court. None of this is reasonable, in my opinion, and I am 100% ok with the legal system forcing him to comply.
> This phrasing removes relevant context to the point where it no longer represents what actually happened.
I don't think it does, but you don't explain why, so there is not much to argue. It is hard to get an objective description of what happened, but as far as I can tell, the liquidity pools operated by Indexed Finance are governed by a smart contract, the smart contract contained a mistake, and by exploiting that mistake, Medjedovic was able to drain them completely.
Can you explain to me in simple english how that is using the contract as intended? Note that "it's what the smart contract said" is not sufficient, for the same reason that "the web server allowed me to make that request" is not a defence against a charge of computer hacking. What the smart contract says is actually almost irrelevant. What is relevant is what it was intended to do.
Incidentally, why should I be rooting for this guy? It seems like literally the only argument in favour of what he did here is "everything that is possible is fair". His extraction of money is purely parasitic, and aside from merely identifying the bug, he hasn't done any useful work at all. I would grant that this applies to the lottery and card counting examples too. But why should I care that he's having his money taken away?
>I think both those cases are easy to decide
Many people disagree with you and describe what these people do as theft, so it's not as easy as you think.
>which Medjedovic rejected
I made no points at all about what he did afterward. This is all irrelevant to my point.
>I don't think it does, but you don't explain why
I did explain why further up in the thread. It's not just a badly coded computer program; it's a badly coded computer program that acts as a contract intended to circumvent government control of money. That's the context.
People agree to adhere to the smart contract instead of putting their money into a financial institution that uses contracts backed by laws enforced by governments. This guy adhered to the smart contract, and when the crypto company didn't like the outcome, they decided that none of the crypto stuff mattered and that the laws enforced by governments mattered after all.
But this makes cryptocurrencies entirely pointless. If you can use legal means to circumvent undesired smart contract outcomes, then you can just do that in the first place and not have the smart contract.
>Can you explain to me in simple english how that is using the contract as intended?
Yes, of course. Smart contracts are self-executing contracts. The agreement you make is written in the code of the contract. That is the intention behind a smart contract. It makes no sense to say that you did not adhere to the contract if it allowed you to do something. So by definition, anything you do that the contract enables you to do is using the contract as intended.
>Note that "it's what the smart contract said" is not sufficient, for the same reason that "the web server allowed me to make that request" is not a defence against a charge of computer hacking
Again, this argument ignores the context of smart contracts. Web servers don't claim that their code is a contract.
>why should I be rooting for this guy
It doesn't matter. I'm not rooting for this guy. I'm not arguing emotionally in favor of some guy who did something. In fact, I think he's a shithead.
> It makes no sense to say that you did not adhere to the contract if it allowed you to do something.
I think this is the point where I really disagree with you. I don't see how this is different for smart contracts, as opposed to, say legal contracts written in english. It is not true in general that just because a contract says something, that those exact terms are enforced. There is a whole body of law around what terms are enforceable, what to do in cases of mistakes, and so on.
I am now really unclear on what your position is. I thought originally that you were in favour of smart contracts, and that it was somehow unfair or unethical for e.g. a court to rule whether a smart contract was intended to do something different than what it did. So I am trying to understand why you think it is unethical. In this case I think it is unethical to obey the smart contract, and that what this kid did is unethical and should be illegal. Are you saying what he did is wrong, but he should be allowed to do it anyway? If so, why?
>I don't see how this is different for smart contracts, as opposed to, say legal contracts written in english
It's different because the whole purpose of smart contracts is to circumvent governmental power structures. Otherwise, people would use regular contracts.
Technologically, it's much easier to set up a payment system using a centralized database in a specific jurisdiction and have people sign normal contracts to use the system. People create cryptocurrency systems to avoid that. They put much effort into creating payment systems independent of existing power structures. If this system does not work without backup from the legal system and governmental power, then all that effort is pointless.
>I thought originally that you were in favour of smart contracts
I think they're interesting.
>Are you saying what he did is wrong, but he should be allowed to do it anyway?
Yes.
>If so, why?
Using existing governmental power structures to punish people who adhere to smart contracts in ways some system members don't like invalidates the whole system. If cryptosystems don't work purely technologically without judicial support, they don't work, period.
I think you're letting the perfect be the enemy of the good. It seems like an obvious advantage to have systems that decide the outcome automatically and correctly 99% of the time, despite requiring occasional corrections from outside. That's not the same as a regular contract, so it doesn't follow people would always either choose smart contracts or traditional ones.
What you're hoping for is, taken literally, impossible. Smart contracts can't protect people from fraud, or coercion. Since the law does protect them from these things, smart contracts cannot be totally isolated from the legal system (even if everyone wanted this, which they don't).
> Using existing governmental power structures to punish people who adhere to smart contracts in ways some system members don't like
Fine, but what about in ways that the rest of society don't like?
>It seems like an obvious advantage to have systems that decide the outcome automatically and correctly 99% of the time
That's what traditional systems already do.
>Fine, but what about in ways that the rest of society don't like?
They don't participate in crypto.
The entire point of a home is not to escape traditional finance. It's by design not compatible with a simple "thief breaks into house" comparison, otherwise the entire enterprise is a scam and they should be criminally prosecuted for fraud the second they ask for legal dispute resolution on transactions that happened on ledger.
> He did not steal anything. He beat the fund (Indexed Finance) at their own game.
As popular as this idea is online, it doesn’t work that way in the courts.
Intent matters in issues of the law. The “finders keepers” rules don’t apply in legal matters in the real world.
If someone logs into their bank and notices that changing the account number in the URL lets them withdraw from other people’s accounts, no court is going to shrug it off and say that it’s the bank’s fault for not being more secure. Likewise, finding a vulnerability in a smart contract doesn’t automatically give someone the right to any funds they collect from exploiting it.
We all know the “code is law” arguments about smart contracts are just marketing bluster. The lawyers do, too.
The big difference is that those are centralized systems owned by corporations, and accessing them in a way which you're not supposed to, such as by changing a bank account number or exploiting a zero day, is a crime.
With DeFi it's different; the code is public and decentralized. There was no unauthorized access to anything here. From my reading of what was done, it was essentially taking advantage of the poor trading strategy of Indexed Finance.
I'm not going to pretend to be a lawyer, but I don't see a lot of parallels between this and e.g. using SQL injection to obtain unauthorized access to a system.
The intent of the whole underlying system is that the intent of all the parties be described by code of the smart contracts. Which are intended to be composable, intended to be used in unanticipated ways, and intended to operate independent of any human oversight. The system is also intended to avoid all ambiguity by enforcing the contracts exactly as described by the code... and to provide certainty of transactions and prevent them from being undone after the fact.
Everybody involved knows all of that, and claims it as a positive feature of the system. At least until they find out that it's actually hard to write bug-free code.
There may indeed not be a legal "meeting of minds" (although there very well also may)... but from an ethical point of view, everybody involved knowingly signed up for exactly that kind of risk. And honestly it would be good public policy if the law held them to it. Otherwise you get people trying to opt out of the regular legal system up until it's inconvenient.
There'd be more of a case if he'd exploited the underlying EVM implementation. But he didn't. He just relied on the "letter" of a contract, in an environment that everybody had sought out because of unambiguous to-the-letter enforcement.
Is that how it works legally? If you hack into computers using a zero day, did you also just access the computer according to the way it was programmed? Just because you can do it technically doesn’t mean it’s not fraud/something else.
If that's not how it works, where's the line for what is fraud and what is not? Once you move away from the "code is law" principle, companies have the perverse incentive to define fraud as "any transaction that results in negative PnL for me", which is exactly what happened here.
„Code is law“ isn’t a thing. Go tell a judge that your hacking is legal because the code allowed it. That’s not something that’s allowed by law.
I am well aware that "code is law" has no weight in actual law. The point I tried to raise was, given the following sequence of events:
1. You deploy a smart contract to the ethereum blockchain
2. I interact with your smart contract in some manner
how do we define whether the manner of interaction in step 2 is fradulent or not?
"Code is law" is one interpretation by crypto enthusiasts to define under what conditions interacting with the blockchain is fraud; in their definition, it's never fradulent.
Let's assume "code is law" is nonsense, as many comments here say. Then, under what conditions do we define interacting with the blockchain as fradulent? What is fraud and what is not fraud?
Edit: In the blockchain we can even formalize this. The ethereum blockchain at block K has a certain state S_K. I submit a certain transaction/set of instructions T to the blockchain which is mined as block K+1. How do we define a function isIllegal(S_K, T)? (Assuming block K+1 contains EVM instructions from my transaction T only)
You’re never going to find a binary function that tells you if something is legal or not, in the end it’s up to a human judge to decide. But imagine setting up a search engine and I enter “ Robert'); DROP TABLE INDEX; --” as a search term. Would you say that’s a crime? That’s a perfectly fine thing to search for, right?
Yes, perfectly fine, and the fact that you can paste that string into this website without being put in prison is testament to that!
> You’re never going to find a binary function that tells you if something is legal or not, in the end it’s up to a human judge to decide.
... but the whole point of cryptocurrency, or at least of smart contracts and "DeFi", is to reject that and try to build a parallel system. That's presumably based on a belief that you can write code that behaves the way you intend, regardless of whether you really can do that or not.
So perhaps the judge should decide "Well, you signed up for that when you tried to opt out of having human judgement govern your deals. Have a nice day.".
And in fact perhaps there should be formal statutory law that makes it clear that's what the judge is supposed to decide in any case that isn't itself "borderline" somehow. Which the case at hand shouldn't be.
If I put up a sign „trespassers will be enslaved“ on my property and then force people who trespass to work for me, would that be fine because they knew what they were getting into? You can’t just create your own justice system which contradicts the real one by making contracts.
You can give away your money by making contracts.
The physical universe advances from state to state, but we define still can call certain behaviors illegal.
https://xkcd.com/1494/
Alright, please go ahead and define under what legal pretext this guy's behavior might be illegal.
There are other cases where interacting the blockchain is illegal in a very clear manner. Example: if I know an Iranian or North Korean entity has the keys to an Ethereum wallet, and if I send USDT to that wallet as a Western citizen, that is very illegal due to sanctions.
There is a US indictment which lays out the basics of the which laws Medjedovic is accused of breaking.
https://www.justice.gov/usao-edny/pr/canadian-national-charg...
Imagine I write a contract and empower an AI to execute it. I put $10,000 in a bank account and write, "I'd like a nice car."
I do this of my own free will, at my own hazard. I know I'm playing this game. I have intentionally elected to use a system that will execute without any further intervention or oversight on my part. Verbally, I state that I am confident enough in the writing of my instruction that I feel secure in whatever outcome it may bring.
The system automatically executes and someone has sold me a very nice remote control car.
I sue that person.
Why should I have standing?
Isn’t, in the US system, the definition of fraud built up through a combination of legislation and case law from previous ‘grey area’ cases? I think most laws tend to have some balance between what is easy to define/understand and what is desirable to allow/disallow.
What does one have to do with the other? Fraud is "intentional deception to gain an unfair or illegal advantage, often resulting in financial or legal harm" what does that have to do with code? What could code even do about fraud?
If fraud is "intentional deception", who did this guy deceive? Everything was out in the open.
What does that have to do with my question?
The company and its customers knew what they were getting into; to get protections from the law and guarantees, financial institutions need to get licensed and comply with all the rules, regulations and law. Of course, this includes providing transaction data to the relevant parties to help them detect tax evasion and money laundering.
> to get protections from the law and guarantees, financial institutions need to get licensed and comply with all the rules, regulations and law.
That’s not how the law works.
If someone breaks the law or doesn’t comply with regulations, that’s a separate issue. It doesn’t entitle a third party to steal their funds.
If you were to rob a drug dealer, you couldn’t argue that they weren’t complying with the law and therefore you were free to take it. You would both have broken laws.
Define theft.
If you write a contract and give it to a lawyer with the instruction, "Anyone who satisfies this contract gets this money." And someone satisfies the contract to the lawyer's -but not your- satisfaction, and the lawyer sends the money, did the third party steal from you?
There's a very relevant XKCD on this, where someone discovers a clever "bug" in an insurance contract, and is then disappointed.
https://xkcd.com/1494/
Indexed Finance's mistake was not being Vitalik Buterin and then putting on a sad face and ask for the shitcoin to fork to a version where they didn't screw up.
He should have taken the significant and generous 10% bounty the first time around. He now has to face law suits by well-funded finance firms.
It seems like he simply faces a very wealthy existence in countries that don't give a shit about US laws.
Code is lol. Oh, sorry, meant to say Code is Law. :)
But wont somebody think of the Incompetence Finance Inc. - we cant have fraudsters defrauded, with legal means. The upper caste taketh the lower giveth that is tardition since the dawn of time.
The camera shows night in the Wild West.
A masked man creeps through the shadows of a sleeping town.
He looks both ways, then uses a knife to unlatch a door from the outside. He slips into near pitch blackness. He moves confidently in the darkness - he's worked for this bank before, checking on their security from theft.
Out comes his lock picking tools - the bank president's office door opens with a quick rake. Cheap lock.
Inside, with no windows to betray him, he lights a candle. There in the corner stands the safe. He knows it inside and out, and has been practicing. Five minutes later, the lock is picked, and he loads up the gold, cash, and bonds inside.
He puts the candle out, slips back outside, and returns to his room at the lodging house, climbing in through the window.
The next morning, with the discovery of missing gold, the town looks like someone kicked over a fire ants nest. It only takes 30 minutes before people start wondering about "bank security expert" who had just been in the bank every day.
A crowd heads over the boarding house, growing in size as it goes.
"Did you steal our money?", they ask?
"ABSOLUTELY NOT," he replies, "I merely used my immense mental powers to out hink several flawed physical security measures, breaking no laws of physics, in such a way that the gold, cash, and bonds previously belong to you are now in my possession, and now belong to me. No theft has taken place, only the movement of certain levers, of which anyone who knew how could move, and the movement of afterwords of certain goods."
"So you stole our money!!", the town shouted.
"No, no, I just interacted with the universe according to its very own publicly available rules. No theft has occurred!"
An old cowhand, covering him with double barrel, spoke up, "Walll, guess he's right. We deserved to lose all that money. He did nothing wrong at all."
Everyone left, impressed with his genius.
Yes, running transactions for asymmetric benefit allowed by code on a platform underpinned by a technology whose proponents espouse "code is law" is at all comparable to a man picking a lock on a bank safe. Very astute.
In this case the only person espousing the idea of "code is law" is the hacker. Neither the blockchain's builders, nor the hacked protocol, nor the users are saying that.
"code is law" is a meme that primarily lives on hacker news. Only a tiny fraction of crypto people believe it or say it.
> The camera shows night in the Wild West.
> A masked man creeps through the shadows of a sleeping town.
> He looks both ways, then
... walks into a casino, realizes there's a flaw in how they shuffle and deal cards, and then makes a shit ton of money exploiting this weakness.
After losing a shit ton of money because they didn't plan for someone to play the game in an unexpected way, the owners of the casino demanded the money back.
"Did you steal our money?", they ask?
"ABSOLUTELY NOT," he replies, "I didn't get any non-public information, I didn't manipulate the deck, and you have yet to point to a single hand that was not played entirely within the stated rules of the game. You're just mad because I noticed that you fucked up and bet accordingly."
So which one is it? Code is contract and he should get to keep the money. Or crypto is governed by laws outside of crypto and so he violated the “spirit” of the code and hence is a criminal?
It seems like right now the crypto industry makes the decision to their convenience on a daily basis.
Purity goes out the window when there's real money involved. And means that in cryptocurrency, you only own what the government grants that you own.
It'll be interesting how this gets resolved by Canadian courts.
And this is rich: “A bad actor not brought to justice and held to account for one act of fraud will surely commit another”
Code is contract and disputes are handled by the courts. There's no such thing as a purely extrajudicial contract, is there?
We have laws, yes.
My personal belief is that this was not fraud and "Code is Law" works. Yet, this guy is a perfect example of how intelligence and wisdom are not the same. He was clearly smart and dedicated enough to pull off this sort of trade successfully multiple times in a row, and probably all he had to do to get away with it was keeping his mouth shut. Or at the very least not get convicted by default on contempt of court charges by ignoring a court summons.
Court was outside its jurisdiction here. The fact that the case went forward shows that he was about to be railroaded by corrupt authorities.
Agree, but the wisdom here is in recognising that once you made $65m in seconds at someone else's expense they will try to recoup that amount by any means necessary.
He isn't working completely alone. He was able to borrow some "wisdom" and skedaddle.
It is a good example. Unfortunately most 18 year olds don’t possess a whole lot of wisdom yet. This guy was basically a kid when he did this.
Contract is code, you don't need anything anymore. It solves all the problem.
Something happens
We need to use the system which we want to replace...
One universal law is that if you steal from people with more money than you, you're screwed. And the more money they have, the worse off you are.
But on a serious note, whenever you read about some people that have either managed to outright steal crypto, or find some vulnerability which hasn't been legality tested...and they just pack their bags, hoping to live life free, forever after. It just seems so naive, too naive with how smart these individuals otherwise tend to be.
I think it is fair to say that once you'll cross a threshold, could be a million. could be 10 million. could be 50 million. All depends on who you've taken it from, you'll realistically be hunted for life.
The people that do get away with these things, are state sponsored operators - but they don't walk away with tens of millions in loot, either.
EDIT: Reading the article, this guy sounds like a real piece of work.
> One universal law is that if you steal from people with more money than you, you're screwed. And the more money they have, the worse off you are.
If someone has more money than you, you're screwed. Period.
This is how it works in the fascists world order, which is increasingly dominating these days.
If you want to know the future of humanity, just imagine a bot stamping on a human face forever.
I can't tell if this is a typo or not, and it's perfect.
It reminds me of the Sam Bankman-fried case, but it also quite different. SBF thought the abstractions would protect him from the law when he clearly was misleading investors and using code to abstract away his fraud. However, in this case, the code/fraud was presented and used as intended. While I believe SBF was innocent of defrauding his early investors who were foolish to trust such a system, he was guilty for other reasons.
Andean Medjedovic's case shouldn't have even made it to court and he had no obligation to leave his crypto or cashed out legal tender with some "custodian" and spend the next several years of his life as a beta tester for establishing case law. This wasn't just "code is law," more accurately, "under the stipulations of the contract, code is law."
Based on this article, it doesn't sound like he did anything illegal (initially). He saw an opportunity and took advantage of it not unlike high frequency trading in the late 90s/early 2000s. Decentralized markets operate in a space that's inherently risky -- if they don't want to get exploited, hire better engineers or get out of the game. Begging the government for help when you got bested isn't how decentralization works.
Previous thread,
https://news.ycombinator.com/item?id=31478795 ("The math prodigy whose hack upended DeFi won’t return funds" (2022) — 399 comments)
The entire space of smart contracts falls within the intended functionality of the systems that implement them, which make this particular use of them conceptually unlike things like buffer overflows.
Calling it a "hack" or an "attack" as this article does (while strawmanning the opposite case) is a deliberate attempt to muddy the waters, and is a failure of journalism.
Similar situation with two brothers that gained millions on Ethereum by coercing bots: https://www.arnoldporter.com/en/perspectives/blogs/enforceme...
"The house always wins," is the law he broke.
My favorite is one of the text files on the attacker's computer:
A file labeled "Decisions and Mistakes," in which he wrote, "Going On the run / Yes / Chance of getting caught<Payoff for not getting caught / (NA) / Risk is typically underpriced in modern world.
He should have accepted their offer of 10% as a bug bounty. Certainly crypto folk love to act like unregulated markets but this smells like market manipulation to my armchair education and even if the market tries to play both ways, the courts won't. I do hope that the Ontario court fights the extradition, because the American laws leveled at him seem bogus by Canadian standards (wire fraud, extortion and money laundering) but that tort case might be legit.
How this works in traditional finance is that the big funds would screw the small guy that beats them (especially if they're from a foreign country). They claim that they use unfair or illegal practices, but the reality is that they're not that different to their own.
Ultimately the rules are written by people who look legitimate, and/or those who capture regulators.
Placing trust on software is the root of all evil..
Wait, I thought cryptocurrencies aren't securities? Why are our tax dollars being spent investigating this? If they're not securities (like coinbase etc would like us to believe), then he didn't do anything wrong and there are no other rules - code is law. If they are securities, then why are there so many illegal exchanges operating in plain sight?
Once again, crypto folks are all about decentralization until someone outsmarts them, then they go crying to daddy government to bail them out.
Code is not law. Law is law.
law : code :: word problem : mathematical notation
:::goedel's incompleteness theorem
Has that been your experience interacting with the law?
You can't "steal" crypto; it's all just a scam that operates outside of the law.
I mean, sure, we can use the language of theft and crime figuratively, just like when we talk about animals. For instance, "the wolf stole a chicken from the coop".
The case of SBF suggests you can and it's not outside the law enough to prevent 25 years of jail.
[dead]
"Code is Law" is a profoundly immature idea, and I am surprised anyone other than children take it seriously. The law is not, and never has been, something that is read literally and taken at face value. This is the entire reason that judges and lawyers exist.
Saying "The code let me do it, so it should be legal" is a bit like if I leave a "free to a good home" sign on a plant pot outside my home, and it leans on my car. It does not mean you are permitted to take my car, no matter how "obvious" it seems to you that it should.
Someone who disagrees with you is a profoundly immature child?
Your analogy is confusing, you’re comparing a free plant on the roadside to 63 million dollars on a crypto exploit?
A lot of people who disagree with me also happen to be profoundly immature child. I didn't say that one follows from the other, you added that.
Not always, just in this case :-)
What's actually confusing in the analogy? Are you actually confused or just pretending? The point is that just because a sign says something under a literal reading, it doesn't mean that it's what was intended, or what's binding. If there's a piece of paper on my car saying "free to a good home", I probably didn't intend that you can take my car (or my house, or whatever). It's not very different to the fact that a 0-day exploit on your bank's web server does not entitle the thief to your money.
just in case though, I usually hang the sign on signposts in the public right of way in case someone tries to steal my car.