An LLM was used in the composition of this essay, but the thoughts remain my own.
After the DAO hack of 2017 it was clear that “code is law” wasn’t a workable concept, at least on Ethereum. But was there was still an interesting possibility to be explored: an adversarially hardened blockchain.
The basic idea was that the community — builders and users alike — would explicitly agree that hacks were permissible since every exploit hardened the codebase for the greater good. In theory, if everyone signed up to that social contract, no‑one could complain when a vault was drained. It was just the cost of making the code more correct. I even had a draft blog post written about the topic.
But I just stumbled across an essay that has definitively changed my mind.
Addison Cameron‑Huff’s essay, The Sufficiency of the Common Law in Tackling the Challenges of DeFi, Stablecoins, and the New Economy, delivered the coup de grâce to any illusions of a code-is-law-based blockchain, at least for me.
Cameron-Huff begins by quoting a law review article written all the way back in 1890: The Right to Privacy by Brandeis & Warren.
“Political, social, and economic changes entail the recognition of new rights, and the common law, in its eternal youth, grows to meet the demands of society.”
In language more familiar to us, the common law is a 1,000‑year‑old adaptive protocol that auto‑updates whenever society discovers a new form of harm. No further statutes are required.
DeFi exploits are modern analogues to the centuries-old problem of traps left on a common footpath. Someone forged the code, seeded the liquidity, or profited from the booby-trap — just as someone once laid the steel jaws. That person can be found, named, and sued. Cameron-Huff stresses that the common-law toolkit needs only a defendant and a demonstrable loss; it is indifferent to whether the “device” is wrought iron or Solidity byte-code. Indeed, where vulnerabilities are injected deliberately to enable a later rug-pull, the actor’s intent simply aggravates liability — autonomous execution does not launder human purpose.
Building on Cameron-Huff’s essay it’s not hard to dream up an analogy for exploitation of buggy logic. Here the hacker is akin to a homeowner that burns down their own house to collect the payout. It is immaterial whether the insurance contract includes an arson clause or not, since this harm is so obviously a perversion of the purpose of insurance. Any reasonable person — the common law’s benchmark for judging the acceptability of an action — would recognise it as wrongful the moment the match is struck.
It might be the case that thefts in the DeFi space are not as enforceable as the well-trodden analogues of everyday life. But this does not mean DeFi is a lawless “wild west”. As Cameron-Huff puts it, “the common law is always available to be used.” Courts may be under-funded or slow, but that is an enforcement bottleneck — not proof that no rules apply. From medieval trespass to Brandeis & Warren’s 1890 privacy essay, the common law has persistently sprouted new duties whenever society spots a new species of harm. The frontier sheriff already exists: tort law, equity, and restitution, waiting for a plaintiff to file.
Skeptics argue that cross-border smart-contract exploits outstrip any court’s reach. Cameron-Huff replies that trans-jurisdictional conundrums are as old as seafaring trade. Conflict-of-laws doctrine grew up to reconcile injuries that spanned kingdoms, colonies, and telegraph lines; it now turns to blockchains with the same tools. The venue may shift from grain cargoes to liquidity pools, but the principle endures: when harm crosses borders, so can remedies.
The two stand-out problems are:
Perfect unanimous consent is impossible. Even if 100% of today’s users tick the box, tomorrow’s joiners haven’t, and yesterday’s may claim they never grasped the full implications.
Agreement can evaporate the moment real people lose money. Once harm is obvious, common law treats prior “consent” like any other contract defence: void if unconscionable, coerced, or rooted in a fundamental misunderstanding.
So if a hack inflicts clear loss, the fact that the victims once “agreed to the rules” is likely immaterial; restitution becomes the righteous — and legally available — response.
Picture a well-audited AMM; despite that diligence, a cunning attacker discovers an esoteric edge case and withdraws funds until the pool is dry. Liquidity providers wake up to shrunken balances, and DAO treasuries see their runway evaporate. Common law principles will will zero in on the attacker:
Did the hacker intentionally interfere with property that wasn’t theirs?
Was that interference unlawful — i.e., beyond the scope of any licence implied by “permissionless” access?
Did the interference inflict a measurable financial loss on others?
When those answers come back yes-yes-yes, the exploit is conversion or fraud — an actionable wrong regardless of how impeccably the Solidity was written.
Adversarial hardening still matters, it is far better that hackers not even be able to steal funds in the first place, even if legal means would eventually restore them to their rightful owners.
But the ethical way to fund it is through bug bounties — not by letting users absorb losses as “tuition.” Users harmed by unforeseen exploits must be made whole; the bounty should come from the project, not the victims.
The common law’s evergreen mandate — ubi jus ibi remedium (“where there is a right, there is a remedy”) — ensures that when code falls short, a remedy will emerge. Far from stifling innovation, this living body of precedent is the safety net that lets us experiment without abandoning the humans who make the experiment worthwhile.