Here is a fun Bloomberg Businessweek story about a guy named Andean Medjedovic who hacked a decentralized finance project called Indexed Finance, taking about $16 million in a series of trades that (1) were allowed by Indexed’s smart contracts but (2) Indexed’s founders clearly didn’t intend to allow. So they sued:
On Dec. 9, nearly two months after the attack, Kellar and Day filed a lawsuit against Medjedovic in Ontario, arguing that his actions amounted to fraud and that he should be forced to return the tokens to their original owners. …
In their complaint, lawyers for Kellar and Day argued that two particular steps of the attack violated statutes against market manipulation and computer hacking. One was swapping almost all the UNI tokens out of the DEFI5 pool, the otherwise irrational trade that distorted the pricing such that Medjedovic could buy tokens out from under Indexed users, who were forced by the algorithm to sell. “The only purpose of that trade was to mislead token holders to part with tokens on terms they never would have agreed to,” says Stephen Aylward, a lawyer representing Kellar and Day. “We say that’s a form of market manipulation.” The same argument applied to Medjedovic’s interaction with the CC10 pool.
The second illegal transaction, they argued, was when Medjedovic overwhelmed the pool with free Sushi, thereby tricking the algorithm into letting him bypass the size limit on certain trades. Aylward calls this “an intentional act by Andean to disable a security measure, like disabling the security system at a bank.” He argues that this falls under Canada’s “extremely broad” legal definition of a hack, which can be interpreted as “subverting the intended purpose of a computer system.”
Medjedovic hasn’t officially responded to either suit; he told me he doesn’t even have a lawyer in Ontario. But in our email exchanges, he argued that he’d executed a perfectly legal series of trades. Nothing he did “involves getting access to a system I was not allowed access into,” he said. “I did not steal anyone’s private keys. I interacted with the smart contract according to its very own publicly available rules. The people who lost internet tokens in this trade were other people seeking to use the smart contract to their own advantage and taking on risky trading positions that they, apparently, did not fully understand.” Medjedovic added that he’d taken on “substantial risk” in pursuing this strategy. If he’d failed he would have lost “a pretty large chunk of my portfolio.”
Don’t worry too much about the details there. The point is that Medjedovic did a couple of individually irrational transactions (buying UNI tokens for much more than the market price, selling Sushi tokens for much less than the market price) in order to manipulate the contract to give him more money. Is that market manipulation? Sure, I dunno, why not; if you do that in the US stock market then the Securities and Exchange Commission will at least look into it. A hallmark of market manipulation is doing an individually irrational trade in one place in order to make money somewhere else. That isn’t a definition of market manipulation — it is not illegal to do irrational trades — but it is a rough guide to recognizing market manipulation.
On the other hand he didn’t do this in the stock market, the precedents here are slim, and, as he says, he “interacted with the smart contract according to its very own publicly available rules.” The subjective meaning of the smart contract and the objective code of the smart contract were different. I think it is possible for a judge — or for you and me — to know what the subjective meaning was, to conclude “whatever the smart contract actually allows, it wasn’t supposed to allow this.” But in the crypto world there are still, even now, code-is-law types who think that the only thing a smart contract could mean is what it says. In the crypto world, it is not at all clear that Medjedovic did anything wrong.