New York Times Commentary: When DeFi Incidents Are Frequent, Does "Code Is Law" Still Hold?

Author: Ephrat Livni
Original Title: 《For Rules in Technology, the Challenge is to Balance Code and Law》
Compiled by: Richard Lee, Chain Catcher
About 20 years ago, Harvard Law Professor Lawrence Lessig first told computer scientists that they had unknowingly become regulators of the digital age, saying it made a programmer cry. The programmer was terrified by this idea, "I'm not a politician, I'm a programmer," Professor Lessig recalled her protest.
In his 1999 book, "Code and Other Laws of Cyberspace," Professor Lessig introduced the concept of "code is law." Now, this idea no longer shocks young engineers or lawyers, the professor said. For the digital native generation, it is clear that technology governs behavior with non-value-neutral rules.
Large tech companies have reluctantly acknowledged this. The social media company Meta, formerly known as Facebook, even established a court-like expert panel to evaluate decisions made partly by algorithms. Meanwhile, a relatively young tech sector—the cryptocurrency industry—has fully embraced the concept of "code as law." Some crypto companies explicitly state that code can serve as a better arbiter than traditional regulatory bodies.
Many crypto enthusiasts are betting on a future scenario where we create, entertain, and work on platforms governed by code. In the thriving decentralized finance (DeFi) space, pre-programmed automated "smart contracts" handle billions of dollars in transactions daily without any human intervention, at least in theory.
Users are confident in programming. No one shares personal information. Code does it all and becomes the entirety of the rules. "There is no human judgment, no human error, no processing. Everything is instantaneous and automatic," said Robert Leshner, founder of the DeFi lending protocol Compound, in an interview in August.
However, despite the appeal of building a fully neutral, automated system, multiple significant security incidents have raised doubts about whether "code itself is a sufficient form of regulation" or "it is immune to human error and manipulation."
Smart contracts execute automatically when certain conditions are met. Therefore, if there is an error in the system, users may technically follow the "rules" of the code while triggering an undeserved transfer—this is what happened when Poly Network was hacked for $600 million this summer. Poly Network allows users to transfer cryptocurrencies across chains. Reportedly, hackers exploited a flaw in the code to modify smart contract instructions that triggered a massive transfer of funds. Essentially, they tricked the automated system into running as if the proper conditions for the transfer had been met.
"If you can tell a smart contract 'give me all your money,' and it actually does, is that theft?" wrote Nicholas Weaver, a computer scientist at the University of California, Berkeley, in an article about the Poly Network hack. Weaver stated that unlike traditional protocols, the ambiguity of smart contracts cannot be resolved in court, and automated transactions are irreversible—thus, when things go wrong, developers must resort to "begging."
After the $600 million was stolen, Poly Network posted on Twitter a request letter starting with "Dear Hacker," asking them to return the funds and labeling the act as a "major economic crime." Ultimately, most of the funds were returned, and discussions about involving law enforcement ceased. The hacker claimed they wanted to demonstrate that the code had flaws to protect the project.

Similarly, in September this year, a software upgrade at Compound led to $90 million being mistakenly sent to users. Mr. Leshner stated that users who received the erroneous funds and did not return the cryptocurrency would be reported to tax authorities, a statement that sparked strong protests from the Compound community, as they did not accept the claim that "these programs technically cannot meet traditional regulatory requirements for identifying users." Leshner's request also undermined the argument that "DeFi does not need oversight from traditional regulatory bodies"—when problems arose, Mr. Leshner turned to government power.
Currently, DeFi platforms operate in a regulatory gray area, governed by rules written by private programmers who claim no control over the governance of the projects. Platforms and applications built on blockchain networks are often formed under a new business structure called "Decentralized Autonomous Organizations (DAOs)," which are ostensibly democratically managed by user communities voting with cryptocurrency tokens.
But as multiple incidents have shown, there are always people behind the code.
"What they claim, that 'everything is governed by code, with no human intervention,' is not entirely true. In emergencies, you can see where the power lies," said Thibault Schrepel, a law professor at the University of Amsterdam. Schrepel created a project called "computational antitrust" at Stanford University's CodeX Center for Legal Informatics.
Mr. Schrepel analyzed that, "the reason no one wants to claim control over decentralized projects is that doing so reduces obligations—no one is in control, and when problems arise, there is no punishment, nor is there a place to enforce the law."
"But the idea that 'code itself is sufficient' is wrong," he said. Mr. Schrepel believes that if the blockchain community uses code to evade regulation, it will only hinder innovation.
Thibault Schrepel is part of a group of "techno-lawyers," a cohort seeking to bridge the gap between code and law. Schrepel stated that ideally, code and law can work in tandem. Businesses can use smart contracts on the blockchain to collaborate or enhance competition, allowing regulators to analyze code and programs and work with core developers of decentralized systems. Similarly, policymakers can begin to "translate" traditional concepts of "risk mitigation" into code in DeFi, converting banks' reserve requirements into project parameters.
"I wouldn't say it's easy to advance our ideas," said Chris Giancarlo, former chairman of the U.S. Commodity Futures Trading Commission and a lawyer at Willkie Farr & Gallagher.
He also asked, "Shouldn't we try to rethink our regulatory approach to achieve the same policy goals in different ways?" Giancarlo is also the author of "CryptoDad: The Fight for the Future of Money."
Mr. Lessig agrees. "We need a more sophisticated approach that brings technologists and lawyers alongside behavioral psychologists and economists," he said, with all these fields defining the program parameters of projects to embed the public values of society into the programs so that private interests do not replace them. "Our democracy is facing an existential threat, and we do not have 20 years to wait."