Read on Twitter
very pressed for time lately but I finally reviewed more info about the Harvest thing this morning
tldr: very hard to see how this constitutes 'hacking'
only plausible claim I can see is calling it "a manipulative device, scheme or artifice to defraud" under the CEA
tldr: very hard to see how this constitutes 'hacking'
only plausible claim I can see is calling it "a manipulative device, scheme or artifice to defraud" under the CEA
even that would be a tough sell as there are many tricky open questions about the scope of that rule, which become even trickier in the smart contract context
who was defrauded? the smart contract itself? this wasn't luring people into making trades
who was defrauded? the smart contract itself? this wasn't luring people into making trades
you could try to argue there is some implicit legal contract about how Harvest vaults are supposed to be used and that the 'attacker's' conduct violated that contract, but this seems like a very arbitrary line-drawing exercise & I can raise all kinds of counteraguments:
e.g., many DeFi systems *rely* on/assume extrinsic arbitrage and I'm guessing Harvest implicitly does so as well (need to study up on it more)--certainly MakerDAO etc. do--so how do you legally distinguish the good kind of arb from the bad kind of arb?
the share prices are fluid by design, so it's not like you can easily say it 'breaches the implicit legal contract' that you bought fUSD at .97 USDC and redeemed it at .98 USDC
under hacking-type laws....this type of exploit does not involve 'unauthorized access' or 'causing damage to a protected computer' on any currently recognized interpretation of that type of verbiage
if you assume securities are involved, there could be securities law theories--but the arguments would similarly come down fraud/manipulation just like the Commodities Exchange Act issues do
so, yeah, pretty much--this is a question of 'should this be deemed commodities spot market manipulation'? I do think there are reasonable arguments in favor of that...the manipulation of USDC : USDT ratios/price in yCurve was pretty blatant...
but if it truly must be *fraudulent* (as some courts have held re: CFTC enforcement actions), then you need a novel theory of fraud--because the only 'defrauded' 'person' is a smart contract...
contrast the typical situation where price manipulation is seen by traders and causes them to ape in or out...this was not that...no one relied on the as-manipulated price...they were already in the vaults, they did not enter them because of the changed price
so this requires either stretching the concept of fraud (perhaps based on idea that smart contract is agent of depositors, so if smart contract is defrauded, so are the depositors) or allowing for fraud-less anti-manipulation claims under CEA, both of which are debatable
one thing for sure--we have barely scratched the surface of the legal complexities of DeFi!
short-term takeaway for lawyers:
if, like me, you have a go-to list of issues used in contracts to define what constitutes something like a material adverse effect or force majeure re: smart contracts, it's probably time to add something like 'economic attack' to that list
if, like me, you have a go-to list of issues used in contracts to define what constitutes something like a material adverse effect or force majeure re: smart contracts, it's probably time to add something like 'economic attack' to that list
