The third article in our Blockchain and the Law
On 17 June 2016, USD 60 million was siphoned from Ethereum's
first decentralised autonomous organisation (DAO). The affected DAO
is simply (albeit confusingly) called "The DAO", a
digital, autonomously run investment-fund which, like traditional
mutual funds, allows investors or "members" to purchase
shares and enjoy returns based on its performance. As part of the
heist, the attacker shifted the ether to a "Child DAO", a
kind of subsidiary of The DAO itself. For now, the ether remains in
the Child DAO and in accordance with its programming, cannot be
used for 28 days from the date of the attack. Members of Ethereum
and the broader blockchain communities are emphasising that the
exploited vulnerability was in the coding of smart contract within
The DAO; the underlying Ethereum platform (as well as blockchain
technology) is, they say, faultless in the incident.
Liability and insurance issues
From a liability and insurance perspective, the incident
demonstrates a real-life example of the sorts of issues we have
previously raised around this technology. Who bears
the liability or risk for the loss in cases like this? While the
answer of course depends on explicit agreements between the parties
(captured in the smart contract or underlying traditional
contracts), many have pointed out that the legal status of DAOs is
Will programmers who write flawed code have to respond to
negligence claims brought by members of DAOs? Who can be insured
against such liability? If insured, can insurers who pay out
relevant insureds bring a subrogated claim in negligence against
those coders or others? What is the true classification of an
attacker's conduct in such circumstances? While embezzlement
and misappropriation of funds are familiar crimes in traditional
company law, this analogous situation occurs in the unregulated
realm of smart contracts and DAOs.
Next, if liability could be determined with confidence,
jurisdictional issues surface. DAOs do not exist on one server
within one jurisdiction; rather, as the name suggests, they are
decentralised and operate across many. So where would a claimant
commence an action against a particular DAO? And who, if anyone,
would represent it? What could be the extent of their
The attack also raises issues around the regulation of DAOs. If
DAOs are to become common investment vehicles, will they eventually
be subject to regulation in the same way as other financial
products upon which livelihoods depend? While blockchain technology
itself is still considered highly secure, The DAO attack shows that
individual smart contracts operating upon blockchains may still be
vulnerable. From an insurer's perspective, where insureds
participate in DAOs is it time to consider appropriate premium
pricing where policies protect against theft or loss arising out of
third party negligence?
The questions fast become dizzying and rather than leading to
answers, each only seems to raise further issues. Some in the
blockchain community will argue that such a traditional analysis of
liability and the law is misplaced, and serves only to subject the
technology to the oversight of the very establishment they were
formed in response to. At any rate, if aspects of a case like this
are litigated, courts may provide some much needed clarification
and guidance on how we should view these entities and their
While The DAO attack may in hindsight be viewed as a mere
teething problem for the wider adoption of smart contracts, it has
reminded stakeholders that the robustness of the blockchain
architecture itself may not always prevent security breaches of
flawed smart contracts.
For the moment, the community (and some outside it) will keenly
follow any fallout from the attack. Some will hope that any
resulting legal disputes may give rise to the first judicial
commentary on blockchain and its related technologies.
A court in the United Kingdom refused to remove an arbitrator for perceived bias where the arbitrator was appointed to arbitrate multiple disputes arising from the same underlying incident triggering insurance coverage.
Drone use is on the rise. Private individuals and commercial companies are finding new and varied applications for the technology, from Amazon's ‘flying warehouse' to Lady Gaga's drone-propelled American flag at the Superbowl.
Ben Crook and Neil Beresford are holding a Breakfast Briefing on Wednesday 26 April 2017 to highlight for insurers the issues arising and practical steps needed in advance of the introduction of a new right for insureds to claim damages...
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).