Transactional Scripts in Contract Stacks

University of Minnesota Law School University of Minnesota Law School

Scholarship Repository Scholarship Repository

Minnesota Law Review

2020

Transactional Scripts in Contract Stacks Transactional Scripts in Contract Stacks

Shaanan Cohney Hoffman, David A.

Follow this and additional works at: https://scholarship.law.umn.edu/mlr

Part of the Law Commons

Recommended Citation Recommended Citation Cohney, Shaanan Hoffman, David A., "Transactional Scripts in Contract Stacks" (2020). Minnesota Law Review. 3226. https://scholarship.law.umn.edu/mlr/3226

This Article is brought to you for free and open access by the University of Minnesota Law School. It has been accepted for inclusion in Minnesota Law Review collection by an authorized administrator of the Scholarship Repository. For more information, please contact [email protected].

https://scholarship.law.umn.edu/

https://scholarship.law.umn.edu/mlr

https://scholarship.law.umn.edu/mlr?utm_source=scholarship.law.umn.edu%2Fmlr%2F3226&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/578?utm_source=scholarship.law.umn.edu%2Fmlr%2F3226&utm_medium=PDF&utm_campaign=PDFCoverPages

https://scholarship.law.umn.edu/mlr/3226?utm_source=scholarship.law.umn.edu%2Fmlr%2F3226&utm_medium=PDF&utm_campaign=PDFCoverPages

mailto:[email protected]

319

Article

TransactionalScriptsinContractStacks

ShaananCohney†andDavidA.Hoffman††

Introduction............................................................................................................320 I.DesigningExpensive,BuggyScripts........................................................328

A. How(Commercial)CodingWorks...............................................328 B. AnIntroductiontotheBlockchainPlatform............................331 C. EthereumandScripting....................................................................335 D. CodingonEthereum...........................................................................341 E. Summary.................................................................................................346

II.TransactionalScriptsintheRealWorld..............................................348 A. Tokens......................................................................................................348 B. Exchanges...............................................................................................351 C. Oracles......................................................................................................354

III.ScriptsandStacks.........................................................................................358 A. TheCanonicalStack............................................................................362 B. TensionsWithintheStack...............................................................368 C. RecapitulatingtheCanons:QuoineandNon-Public

Scripts.......................................................................................................385 IV.TheFutureoftheContractStack...........................................................386

† Ph.D., Postdoctoral ResearchAssociate, Center for InformationTechnologyPolicy,PrincetonUniversity.Copyright©2020byShaananCohney.

†† ProfessorofLaw,UniversityofPennsylvaniaLawSchool.WethankAlexanderAltieri andChrissyPak for researchassistance, andYonathanArbel,BridgetFahey,James Grimmelmann, Greg Klass, Raina Haque, Bob Hillman, Drew Hinkes, CathyHwang,GabeKaptchuk,MaxRaskin,ElizabethPollman,GabeShapiro,JeremySklaroff,TimSwanson,AndreaTosato,AlecWebley,KevinWerbach,TalZarsky,EyalZamir,andparticipantsatworkshopsatAlabama,Penn,andUtahforcomments.ThisworkwassupportedinpartbygrantsfromtheRippleResearchFundattheWhartonSchoolandatthePrincetonCenterforITPolicy.Copyright©2020byDavidA.Hoffman.

320 MINNESOTALAWREVIEW [105:319

INTRODUCTIONInearly2019,agroupofpeoplefoundedEdgeware,ablockchain-

based platformdesigned to host software development.1Edgewaremadepotentialusersadeal:iftheyagreedtotemporarilysequestersomecryptocurrency(essentially,placinganinitialinvestmentines-crow),they’dgaingovernancerightsovertheplatformatalaterdate.2Themechanismforthatinvestmentwasapieceofcarefully-auditedsoftware, called “Lockdrop,”whichwas deployed on a blockchain.3Lockdropseemedtoembodyandconstituteanovelcontractingtech-nology,writteninaprogramminglanguage(Solidity)thatdidn’tevenexistadecadeago.4

ByJulyof2019,investorscommittednearly$300,000,000totheprojectusingLockdrop.5Thensomeonelookedwithparticularcareatthefollowingpieceofcode:6

assert(address(lockAddr).balance==msg.value);Asitturnsout,thislinewassusceptibletoasoftwarehackthat

wouldhavepermanentlyimpoundedinvestorassets.7Luckily,theer-rorwasdiscoveredbeforeitcausedharm.But,asthecoderwhodis-coveredthevulnerabilityputit,“smartcontractsaresoftware.Evencarefullyaudited,well tested softwarewill (almostalways) containbugs.Therefore,anddespiteourbestefforts...Smartcontractswill

1. COMMONWEALTHLABS,EDGEWARE:ANADAPTIVESMART-CONTRACTBLOCKCHAIN1(2019)[hereinafterEDGEWAREWHITEPAPER],https://arena-attachments.s3.amazonaws.com/3850782/1928e31873075de95992d4987eb14a2e.pdf?1552432633[https://perma.cc/J3GP-ERC4]. 2. Seeid.at5(“EDGentitlesholdersbothstakingandvotingrights....”).Foranintroductiontocryptocurrencies,seeShaananCohney,DavidHoffman,JeremySklaroff&DavidWishnick,Coin-OperatedCapitalism,119COLUM.L.REV.591,603–05(2019).SeealsoDAVIDFOX&SARAHGREEN,CRYPTOCURRENCIESINPUBLICANDPRIVATELAW(2019). 3. Certificate of Smart ContractAudit for Edge-Lockdrop,QUANTSTAMP (Apr. 8,2019), https://arena-attachments.s3.amazonaws.com/4282493/a155dc84aa1dfba4cfd3dc6be1e1ebdc.pdf?1557965252[https://perma.cc/UPC5-ZUPT]. 4. Id.(notingthatLockdropusedSolidityprogramminglanguage). 5. NeilMcLaren,Gridlock(ASmartContractBug),MEDIUM(July1,2019),https://medium.com/@nmcl/gridlock-a-smart-contract-bug-73b8310608a9 [https://perma.cc/V2G2-WT9L](“Edgeware’sLockdropsmartcontracthasprocessedover$900mil-lionofETHandlockedupover$290million.”). 6. Id. 7. Iftheattackerdesignatedcryptocurrencytothenextlockaddress,thetotalbalancewouldexceed theamount sentbyLockdrop, causing the check to fail.Thiswouldfreezethesequesteringprocesspermanentlyinplace.

2020] TRANSACTIONALSCRIPTS 321

(almostalways)containbugs!”8Thequestionweaskinthispaperissimple:cancontract lawmakesenseof intractablebugs in transac-tionalcode?Theanswerislikewisesimple:yes.

Buttotheirpromoters,evenbuggy“smartcontracts”likeLock-droparethevanguardofarevolution,heraldinganageinwhichcodewilldeposebothcontracttheoryandpractice.9Enthusiastsarguethatwhen contracts are embodied and performed by code, contractingcosts(likenegotiation,monitoring,andperformance)willfall.Betterstill,partieswon’tneedtotrusteachother,orcourts,tobeassuredthatthey’llgetwhattheybargainedfor.Theresult:“smartcontracts”areofferedasapotentialsolutiontoanastoundingvarietyofbusinessandsocialproblems.Theymaytransforminsurance,10financialderiv-atives,11consumerprotection,12corporategovernance,13tax filing,14voting, 15 supply chain management, 16 bankruptcy, 17 property

8. McLaren,supranote5. 9. Cf.PrimaveraDeFilippi&SamerHassan,BlockchainTechnologyasaRegula-toryTechnology:FromCodeIsLawtoLawIsCode,FIRSTMONDAY(Dec.5,2016),https://firstmonday.org/ojs/index.php/fm/article/view/7113/5657[https://perma.cc/2PX9-8C4K] (“Whatmakes theblockchaindifferent fromother technologies is thatsmartcontractsareactuallymeanttoreplacelegalcontracts.”);MarkVerstraete,TheStakesofSmartContracts,50LOY.U.CHI.L.J.743,743(2019)(“Themostardentsup-portersofsmartcontracts...claimthatsmartcontractsmightreplacelargeswathsofthetraditionalcontractsystem.”). 10. SmartContracts:10UseCasesforBusiness,AMBISAFE,https://ambisafe.com/blog/smart-contracts-10-use-cases-business[https://perma.cc/S9WA-FHMM]. 11. SeegenerallyINT’LSWAPS&DERIVATIVESASS’N,LEGALGUIDELINESFORSMARTDE-RIVATIVES CONTRACTS: INTRODUCTION (2019), https://www.isda.org/a/MhgME/Legal-Guidelines-for-Smart-Derivatives-Contracts-Introduction.pdf[https://perma.cc/N5XN-J5KQ]. 12. See generally Joshua Fairfield,Smart Contracts, Bitcoin Bots, and ConsumerProtection,71WASH.&LEEL.REV.ONLINE35(2014). 13. FiammettaS.Piazza,BitcoinandtheBlockchainasPossibleCorporateGovern-anceTools:StrengthsandWeaknesses,5PA.ST.J.L.&INT’LAFFS.262,282–86(2017). 14. ValentineP.Vishnevsky&ViktoriiaD.Chekina,Robotvs.TaxInspectororHowtheFourthIndustrialRevolutionWillChangetheTaxSystem:AReviewofProblemsandSolutions,4J.TAXREFORM6,20(2018). 15. SeeTsuiS.Ng,BlockchainandBeyond:SmartContracts,A.B.A.BUS.L.TODAY(Sept.28,2017),https://www.americanbar.org/groups/business_law/publications/blt/2017/09/09_ng [https://perma.cc/MD66-A7V4] (“Governmentsmay use smartcontractstomanage...e-voting.”). 16. SeegenerallyHorstTreiblmaier,TheImpactoftheBlockchainontheSupplyChain: A Theory-Based Research Framework and a Call for Action, 23 SUPPLYCHAINMGMT.INT’LJ.545(2018). 17. SeegenerallyAlanRosenberg,AutomaticContractsandtheAutomaticStay:APrimeron“SmartContracts”inBankruptcy,38AM.BANKR.INST.J.18(2019).


rights,18andrepossessionthroughtheinternetofthings.19Butthere’smore.Jurisprudence—inthesenseofthefundamentalutilityofcon-tractdoctrine—isonthechoppingblock.20Formany,smartcontractsarethefirsttransformativelegalinnovationofthemillennium.21

Perhaps inevitably, “smart contracts,” a term that connotesmoney, computers, andmodernity, has invited a stampede of com-mentatorstospeculateaboutawidevarietyofpossiblecontractingtechnologies.22Manymarvelattheinnovationassomekindofutopiansimulacra: 23 an immutable, 24 transparent exchange, 25 occurring

18. See,e.g.,MichaelCasey,CouldBlockchainTechnologyHelptheWorld’sPoor?,WORLDECON.F.AGENDA(Mar.9,2016),https://www.weforum.org/agenda/2016/03/could-blockchain-technology-help-the-worlds-poor[https://perma.cc/4U9N-4S2F]. 19. Forthecanonicaldescription,seeJeremyM.Sklaroff,Comment,SmartCon-tractsandtheCostofInflexibility,166U.PA.L.REV.263,271–78(2017). 20. Fora lucidreview,seegenerallyMarcoDell’Erba,DemystifyingTechnology:DoSmartContractsRequireaNewLegalFramework?RegulatoryFragmentation,Self-Regulation,PublicRegulation,U.PA.J.L.&PUB.AFFS.(forthcoming2020),https://pa-pers.ssrn.com/sol3/papers.cfm?abstract_id=3228445[https://perma.cc./48NP-CWX7]. 21. See,e.g.,AlexanderSavelyev,ContractLaw2.0:“Smart”ContractsastheBegin-ningoftheEndofClassicContractLaw,26INFO.&COMMC’NTECH.L.116(2017);seealsoWhatisEthereum?,ETHERSCRIPTER,https://etherscripter.com/what_is_ethereum.html[https://perma.cc/LV8P-6BJD] (describing popular smart contract Ethereum as “anewkindoflaw”thatcanbe“perfectlyobservedandenforced”). 22. Thefishrotsfromthehead.SeeNICKSZABO,SMARTCONTRACTS:BUILDINGBLOCKSFOR DIGITAL MARKETS 1 (1996), http://www.truevaluemetrics.org/DBpdfs/Block-Chain/Nick-Szabo-Smart-Contracts-Building-Blocks-for-Digital-Markets-1996-14591.pdf [https://perma.cc/6BAR-V45A](definingsmartcontractsas“asetofpromises,specifiedindigitalform,includingprotocolswithinwhichthepartiesperformonthesepromises”).Inrecentyears,Szabohasvociferouslydefendedtheterm.See,e.g.,NickSzabo (@NickSzabo4), TWITTER (Oct. 14, 2018, 6:38 PM), https://twitter.com/NickSzabo4/status/1051603179526270976[https://perma.cc/5HC7-D95Z](“‘Smartcontract’isaveryusefulconcept&phrase.‘Smart’asin‘smartphone’(shorthandforcomputerizedphone),‘contract’meaningitdoessomeimportantthingswepreviouslyreliedoncontractstodoforourdeals,especiallycontrollingassets&incentivizingper-formance.”). 23. FrankPasquale,ARuleofPersons,NotMachines:TheLimitsofLegalAutoma-tion,87GEO.WASH.L.REV.1,24–25(2019). 24. JeffreyM.Lipshaw,ThePersistenceof“Dumb”Contracts,2STAN.J.BLOCKCHAINL.&POL’Y1,24(2019)(statingthatthekeycharacteristicsofsmartcontracts,“inad-ditiontoconsensus,includeimmutabilityandfinalityfromthetimetheyarecreatedandgoingforward”). 25. AdamJ.Kolber,Not-So-SmartBlockchainContractsandArtificialResponsibil-ity,21STAN.TECH.L.REV.198,208(2018)(“SinceEthereumsmartcontractsconsistofparticularcomputercodeonadecentralizedblockchain,itiseasytoverifyprogramexecution.”).


through“consensus,”thatis“self-executing”26or“automated.”27Withthatcapaciousdefinitioninmind,isthechipinyourVisaCardpartofasmartcontractnetwork?ThecodecomprisingtheVenmoApp?YourMetrocard?28Ifwecan’tunderstand thescopeof thisphenomenon,howcanwefairlyevaluatetheriskitposes,orthebenefitsitpromises,toourcommercialandsociallife?

Smartcontracts’flabbymeaningisnotthisArticle’sprecisetar-get.29Ratherweofferafocuseddescriptionofthemostcelebratedas-pectoftheunderlyingtechnologyanditsrelationshiptolegalorder.We’ll startby introducing anew term thatwe think captureswhatmostpeopleinthisfieldthinkofwhentheyconsider“smartcontracts”as theyarecurrentlydeployed.Wenameanddescribe the transac-tional script.30Here is a parsimonious definition (thatwe’ll unpacklater):31

Atransactionalscriptisapersistentpieceofsoftwareresidingonapublicblockchain.Whenexecutedasapartofanexchange,thecodeeffectuatesaconsensuschangetothestateofaledger.

26. ProfessorsKevinWerbachandNicolasCornellarguethatsmartcontractsaredistinctivebecause“juridicalforumsarepowerlesstostoptheexecutionofsmartcon-tracts—there isno room tobringanaction forbreachwhenbreach is impossible.”KevinWerbach&NicolasCornell,ContractsExMachina,67DUKEL.J.313,332(2017);seealsoAmy J. Schmitz&ColinRule,OnlineDisputeResolution for SmartContracts,2019J.DISP.RESOL.103,106,107,113(describingsmartcontractsas“self-enforcing,”“self-governing,”andwith“noambiguityaroundtheparties’obligations”). 27. ChristopherD. Clack,VikramA. Bakshi& LeeBraine, Smart Contract Tem-plates:Foundations,DesignLandscapeandResearchDirections2(Mar.15,2017)(un-publishedmanuscript),ARXIV:1608.00771;seealsoMaxRaskin,TheLawandLegalityofSmartContracts,1GEO.L.TECH.REV.305,309(2017)(“Asmartcontractisanagree-mentwhoseexecutionisautomated.”). 28. SeeKolber,supranote25. 29. Cf. Ed Felten, Smart Contracts: Neither Smart nor Contracts?, FREEDOM TOTINKER(Feb.20,2017),https://freedom-to-tinker.com/2017/02/20/smart-contracts-neither-smart-not-contracts[https://perma.cc/NZ2Q-GFHE]. 30. Foradefinitionofsmartcontractsthattrackswithourtransactionalscript,see Carla L. Reyes, If RockefellerWere a Coder, 87 GEO.WASH.L.REV. 373, 383–84(2019),whichstatesthat:

Theterm“smartcontract”referstodecentralizedcomputercodethatrunsonaDLTprotocolandmanifestssomecombinationofthefollowingcharac-teristics:exertssomecontroloverassetsdigitallyrecordedonaDLTproto-col,takessomeactionuponreceiptofspecifieddata,isoften,butnotalways,partofaDLT-basedapplication,guaranteesexecution,andwritestheresult-ing state change from the operation of the smart contract into the DLT’sledger.

31. Cf.PeterG.L.Hunn,SmartContractsasTechno-LegalRegulation,7J.ICTSTAND-ARDIZATION269,275(2019)(focusingon“adeterministicstatemachine”anda“con-sensusprotocol”thatprovidesagreement“onthesamesequenceofoperations”).


Westressthatourfocus—forthemoment—isnarrowerthanalldigitizedexchanges,32orevenalldealsaccomplishedthroughblock-chain-styleledgers.33Thatis,transactionalscriptssitatthecoreoftherapidlyexpandinggroupofthingscalled“smartcontracts,”butdonotencompass the whole field. Crucially, transactional scripts are ex-changesthatoperateinpublic—indeed,theyarevaluableinlargepartbecausetheirresolutionmustbeagreedtobymultipledifferententi-ties,jointlyoperatingonanoperatingsystemwithfixedandtranslu-centrules.

Transactionalscriptsareastrikinglegalinnovationandmuchofthecurrentinterestinsmartcontractsinfactregardsthem.34Butlaw(andlawyers’)roleinthecreationandexecutionofscriptsisunclear.Even apart from the performative techno-libertarian claims aboutlaw’sabnegation,manyscriptingprojectsaremissingmanyoftheac-coutrements of transactional law. More plainly put, currently de-ployedtransactionalscripts—thosethatareexposingrealpeopletofinancialandpersonalrisks—oftenrelyonthecodealoneastheirpri-maryrisk-allocationmechanism.Andthecodeerrs.

IntheEdgewareproject,noneofthegovernancepromiseswereexpressed in a natural language “contract” as we understand thatterm,eveninthedigitalsphere,as inaclick-wrapagreement.Theyexistedratherina“whitepaper”—aself-publisheddocumentwithno

32. Foratremendoussurveyofdigitizedexchanges,seeHarrySurden,Computa-bleContracts,46U.C.DAVISL.REV.629(2012).Surdendiscusses“autonomouscomput-ablecontracting”onlybriefly.Id.at694–95. 33. The reader would benefit from reading the following excellent works onscripts (broadly defined): Sklaroff, supra note 19; J.G. Allen,Wrapped and Stacked:“SmartContracts”andthe InteractionofNaturalandFormalLanguage,14EUR.REV.CONT.L.307(2018);Werbach&Cornell,supranote26;KarenE.C.Levy,Book-Smart,NotStreet-Smart:Blockchain-BasedSmartContractsandtheSocialWorkingsofLaw,3ENGAGINGSCI.TECH.&SOC’Y1(2017);JamesGrimmelmann,AllSmartContractsAreAm-biguous,2 J.L.&INNOVATION1 (2019);PRIMAVERADEFILIPPI&AARONWRIGHT,BLOCK-CHAINANDTHELAW:THERULEOFCODE(2018);JonathanRohr,SmartContractsinTradi-tionalContractLaw,or:TheLawoftheVendingMachine,67CLEV.ST.L.REV.67(2019);EdmundSchuster,CloudCryptoLand,MOD.L.REV.(forthcoming2020)(manuscriptat23–25),https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3476678[http://perma.cc/YAY3-TA63]. 34. SeeGlobalSmartContractsMarket,MKT.RSCH.FUTURE,https://www.market-researchfuture.com/reports/smart-contracts-market-4588[https://perma.cc/F3DN-L98D](“Theglobalsmartcontractsmarket isexpected toreachapproximately300USDMillionbytheendof2023....”);cf.VentureCapitalFirmsGoDeepandWidewithBlockchain Investments, DIAR (Oct. 1, 2018), https://diar.co/volume-2-issue-39[https://perma.cc/V6Q2-ZLVR](“[I]njust...threequartersof2018,blockchainandcrypto companies have raised nearly 3.9Bn through traditional VC—280% more[than]lastyear....”).


standardformanduntestedlegaleffect.35Thatwhitepaperstatesthatuserswillreceive“[d]ownsideprotection”inthecaseofa“maliciousattack or exploit,” anddescribes the lockdrop contract as a failsafetechnique.36Moreover,thepromoterssuggestthatitwouldbeimpos-sible to falsely claim ownership for an address.37 Needless to say,theserepresentationsdonotmatchtherealityofwhatthebuggycodedelivered.But,equallyobviously,sincethecodewaspublic,itslatenterrors were also theoretically knowable, at least to sophisticatedcounterparties.

Otherexamplesofcodingerrorsandoversightsabound—includ-ingthenowinfamousDAOhack,whichwewilldiscusslater.38Inmanycases,thelosersofcodingerrorshavepaidoffthewinnerstoundotransactions.39Suchsettlementsoccurintheveryindistinctshadowoflaw:thereisn’tabodyofcasesthatdirectlyaddressthequestionofwhathappenswhentransactionalscriptsgowrong.40Theacademicliteraturetoohaslargelydownplayedtheroleandcapabilitiesoflawinresolvingtransactionalscriptsgonewrong.41

Eventhemostsophisticatedtreatmentsintheliteraturelargelyfocus on what happens when scripts accomplish their promisedaims.42Somearguethatthetechnologyissimplyincapableofthesorts

35. EDGEWAREWHITEPAPER,supranote1,at9–15. 36. Id.at6–7. 37. Id.at11–12(“Uponinspection[ofthetransactionhash],averifiershouldhaveenoughproofthatiftheownerofthe...accountdidnotalsoowntherecipientEdge-wareaccount(representedasthetargetaddress...),thentheywouldnotissuesuchatransaction.”). 38. Seeinfratextaccompanyingnotes276–79. 39. The literaturehasnoted thatoften firmspricebugbounties too lowwhencomparedwiththeirafter-market(andillegitimate)use.LorenzBreidenbach,PhilipDaian,FlorianTramer&AriJuels,EntertheHydra:TowardsPrincipledBugBountiesandExploit-ResistantSmartContracts,27PROC.USENIXSEC.SYMP.1335,1335(2018).It isdifficulttoknowhowcommonself-helpis intheworldoftransactionalscripts.Victimshavelittleincentivetopublicizetheirfailuretowritebettercode,whilesuc-cessfulattackersmaywishtoavoidpublicrenown(ifnotthetaxauthorities). 40. See, e.g., LaurenHenryScholz,AlgorithmicContracts, 20STAN.TECH.L.REV.128,141(2017)(discussingtheapplicationofcontractandagencylawtoalgorithmiccontractsandnotinglackofcaselaw). 41. Cf.Dell’Erba,supranote20(manuscriptat21)(“Itcouldbethattheremaybeabuginthecodeorthatthepartiesmayreconsiderwhattheywant.”). 42. CompareWerbach&Cornell, supranote26,at350–64(thingsgoingwell),withid.at365–67(notaswell).


oferrorthatlawcaresabout:the“[c]odetypicallyentailsnoambigu-ity,andnovariantinterpretationispossible.”43Otherslamentthatbe-causetheblockchaincodeisself-contained,itcontainsnoplacewithinitfor“defaultlaw”toexist.44Worse,evenifthereareplacesforlaw’stoolstohavepurchase,jurists“maynotbeabletohypothesizearea-sonablehuman’sinterpretationofagivensmartcontract.”45

Suchhandwavingisanunwarranted,andultimatelyunworkable,surrenderofthelaw’sroleinadjudicatingdisputes.Codethatembod-ies commercially-significant scriptswill inevitably containambigui-ties,anddisappointedpartieswillaskjudgestoadjudicatetheirrights.Atthebasiclevel,asJamesGrimmelmannhasrecentlyobserved,the“meaningofanyspecificprogramrestsonafoundationofsomeprioragreementabouthowtointerpretsomelargerclassofprograms.”46Heconcludesthatwhiletheremaybefewersuperficialexamplesofinterpretativegapsinformalcode,“whenthebottomdropsout,itcanreallydropout.”47It’sthenthatlawwillbeaskedtostepinandpro-viderationalandpredictablesolutions,whichwillalmostcertainlybedevelopedbyanalogytooff-chainexchanges.

Butanalogiescandeceive.Whereasscholarsandjuristswhocon-frontquestionsaboutordinarywrittencontractshaveadeepworkingknowledgeofhowsuchexchangesfunction,transactionalscriptsarefunctionallyinnovativeandthelegalcommunityhasyettocoalescearoundevenabasicunderstandingofwhattheyare, letalonewhattheydo.What’sneeded,then,isaworkingknowledgeofthewaysinwhichthevocabularyandfunctioningofthecodeitselfcancreatedis-connects between the intent of the humans coding transactionalscripts and the code’s function.48Describing the plumbing of thesephenomenaisthefirstcontributionofthisArticle,andoccupiesPartI.Wemaketwofundamentalobservations.

43. WulfA.Kaal&CraigCalcaterra,CryptoTransactionDisputeResolution,73BUS.LAW.109,136n.94(2017–2018). 44. UshaR.Rodrigues,LawandtheBlockchain,104IOWAL.REV.679,682(2019)(“Becausethesmart‘contract’iscodealone,thereisnogap,inthesenseofanentrypoint,forthelawtostepintofill.”). 45. Kaal&Calcaterra,supranote43,at136;Schmitz&Rule,supranote26,at103(“Thosewith no coding background cannot easily interpret a smart contract in itsrawestform.”). 46. Grimmelmann,supranote33,at12. 47. Id.at20(“Therelevantcommunitycanredefinetheprogramminglanguageinawaythatradicallyaltersthemeaningofprogramswritteninit.”). 48. Ontheproblemscausedbyblockchainjargon,seeAngelaWalch,Blockchain’sTreacherousVocabulary:OneMoreChallengeforRegulators,J.INTERNETL.,Aug.2017,at1.


First,thesoftwarelanguagedevelopmentenvironmentofalmostallextant transactionalscriptshas features (andentailsuncommonpractices)whichmakecodingerrors,andgapsbetweencoders’intentandexpression,bothlikelytooccuranddifficulttoresolve.49Second,the dominant platform for scripts—Ethereum—assesses a tax oncomplexprograms.Thisfeemakestransactionalscriptsunsuitedformanyknottycontractingproblems,unlesstheirdraftersmakepartsofthecodenon-public,thusstrippingscriptsofmuchofwhatmakesthemanelegantsolutiontoproblemsoftrustinexchange.

Withabettergraspofhowscriptsoperate,PartIIusescaseex-amples to argue—contrary to the dominant account—that thesescripts fail inwaysthatare legibletotraditionalcontractual frame-works.Putsimply,theyfailtoaccomplishtheirparties’intent.Thoseexamplesstartwith“tokens”issuedin“initialcoinofferings,”continuewithdecentralizedexchanges,andfinallyconsiderso-called“oracles.”Wedescribeboththecodedandnaturallanguagepromisesaccompa-nying theseprojects.Eachsuchcategoryof transactional scripthasbeen touted as a revolutionary financial innovation. Each, as we’llshow,havealreadyproducederrorswithreallegalconsequences.

InPartIII,weaskhowlawoughttorespondtothesortsofprob-lemsoccasionedbysuchsystematicfailuresoftransactionalscripts.We argue that the layering of transactional script and natural lan-guagepromiseisbestunderstoodasproducingacontractstack.Con-tractstacksareinevitablewhenpartiescometogethertoaccomplishcommercialends,eveniftheytrytheirhardesttomakethecodethefinal answer to all their problems. Collecting the meager extantcaselaw,anddeployingoldfashionedrulesofinterpretation,weofferanovelframeworkthroughwhichcourtsoughttocompilesuchstacksandthusmakesenseofthesenewformsofcommercialexchange.

Theframeworkweoffer,thoughfocusedonthescriptedecosys-temofthemoment,hasgeneralapplication.Futureiterationsofdigit-ized transactions,whetherusingblockchainor other formsof soft-ware, will require courts to make sense of gaps between naturallanguage promises and coded executions. Our approach brings oldprinciplesofcommonlawtobearontheproblemsthatthenextgen-erationofcontractpractitionersandacademicswillface.

49. SeeElaineOu,BlockchainIsLitteredwith‘Smart’ContractsGoneBad:Opinion,INS. J. (Nov. 16, 2017), https://www.insurancejournal.com/news/international/2017/11/16/471387.htm[https://perma.cc/P5MF-67N3].


I.DESIGNINGEXPENSIVE,BUGGYSCRIPTSWebeginwithapreciseaccountofthecreationandfunctionof

transactionalscripts.Totheextentthatthediscussionrequiresstrug-glingwithnewjargon,ourpetardhasbeenwell-hoisted.50Ourgoalisnotmerelytodemystifythistechnology,butalsotheworldandsocialpracticesofcoderswhoseworkincreasinglymatterstolawandtrans-actionalpractice.Wemaketwoprimarycontributions.First,wetrytoexplainwhycodeisintrinsicallybuggy.Second,weoffersomereasonsto be skeptical about scripts’ innate ability to simultaneously solveproblemsoftrust,complexityandautomationofdeals.

We startwith the functional questionofhowcoders go abouttheirwork.

A. HOW(COMMERCIAL)CODINGWORKSTheprocessoftakingaprogrammer’sintentfromcodetoexecu-

tioninvolvesmultiplesteps,eachofwhichcananddoesintroduceer-ror.Justaswhenlawfirmsdraftcontracts,programmingprogressesin pieces and through teams. 51 Programming teams typically startwithahuman-drivengoal.Theythenchoosealanguageinwhichtocode.Typically,coderswillchooseahigh-levellanguagethatabstractsawaythedetailsofthemachine’shardwareandallowsprogramminginsyntaxclosertonaturallanguage.

Transactional scripts are commonly coded in Solidity, the lan-guageconceivedalongsideof,andforuseon,Ethereum,theplatformonwhichmostscriptsoperate.52Itissyntacticallysimilartothepop-ular,web-developmentlanguage,Javascriptandthuslooksfamiliartomanynon-smart-contractcoders.Tocreateatransactionalscript inSolidity,acodercreatesatextfilewithcontentsthatconformtothepubliclyavailablespecificationoftheSoliditylanguage,andthatcap-tureinprogrammaticformthedesigngoal.53

50. Cf.ELIZABETHMERTZ,THELANGUAGEOFLAWSCHOOL:LEARNINGTO“THINKLIKEALAWYER”(2007)(providingtheclassictextonhowlawstudentsaretaughttothinkandargueindistinctiveways). 51. On“flexiblestandardization”andtheproductionofcontractsinlawfirms,seeMatthewJennejohn,TheArchitectureofContractInnovation,59B.C.L.REV.71(2018). 52. Foragoodoverviewof thecodingecosystem, seeRainaS.Haque,RodrigoSeiraSilva-Herzog,BrentA.Plummer&NelsonM.Rosario,BlockchainDevelopmentandFiduciaryDuty,2STAN.J.BLOCKCHAINL.&POL’Y1,16–17(2019). 53. Formoreontheprocessofopensourcedevelopmentinblockchaingenerally,seeAngelaWalch,Open-SourceOperationalRisk:ShouldPublicBlockchainsServeasFi-nancialMarketInfrastructures?,in2HANDBOOKOFBLOCKCHAIN,DIGITALFINANCE,ANDIN-CLUSION252–54(DavidLeeKuoChuen&RobertDengeds.,2017).


Liketraditionalcontractdrafters,transactionalscriptdevelopersfreely use boilerplate. A significant fraction of code in open sourcesoftwareprojects iscopied.54Thispractice isalsoprominentwithinthetransactionalscriptsworld,withonestudyfindingin95%ofim-plementations thatperformedacommonfunction,codershadusedidentical syntax.55Reusingor retrofitting code fornewends servesmultiplepurposesfordevelopers.Reusedecreasesdevelopmenttimeandmayprovide ready-made, secure, and compatible solutions fordifficultcodingproblems.Codereusecanalsocauseproblems,makingdevelopers reliant on code they may not understand, propagatingbugs,andincreasingdevelopmenttimewherereusedcodeisdifficulttounderstandoradapt.56

Knittingtogetherthesepiecesofboilerplatewithbespokecodeisan iterativeprocess,andprogramsarecreatedacrossmultipleses-sionsconsistingofcodingandtesting.Tokeeptrackofchanges,andthecontributionsofmanyindividuals,57softwareprojectsuseversioncontrolsystemsthatthemselvescapturealogofeachchange.58Toaddachangetoaversioncontrolsystem,codersaretypicallyrequiredtoexplicitlyidentifythechange/stheywishtoadd,describeitina“com-mitmessage”andsendittoaserverthattracksthefullsetofchangesacrossusers.59

54. Developersreportameanthirtypercentoffunctionalityisderivedfromre-usedcode.SeeManuelSojer& JoachimHenkel,CodeReuse inOpenSourceSoftwareDevelopment:QuantitativeEvidence,Drivers,andImpediments,11J.ASS’NFORINFO.SYS.868,869(2010). 55. SeeYiZhou,DeepakKumar,SuryaBakshi,JoshuaMason,AndrewMiller&Mi-chaelBailey,Erays:ReverseEngineeringEthereum’sOpaqueSmartContracts,27PROC.USENIX SEC. SYMP. 1371, 1371 (2018), https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-zhou.pdf[https://perma.cc/GJ94-S6F8]. 56. EthereumSmartContractBestPractices,GITHUB,https://consensys.github.io/smart-contract-best-practices/general_philosophy[https://perma.cc/NS6T-MQ34](“Asmartcontractsystemfromasoftwareengineeringperspectivewishestomaxim-izereusewherereasonable.”). 57. Programmerswillsometimespairprogram:areviewerassesseseachlineofcodeastheprimaryprogrammeristyping.Thereviewersuggestschanges,spotser-rorsandoftendrivesthestrategicdirectionofthecode.See,e.g.,LaurieWilliams,Rob-ertR.Kessler,WardCunningham&RonJeffries,StrengtheningtheCaseforPairPro-gramming,IEEESOFTWARE,July/August2000,at19. 58. Distributedversioncontrolsystemshavemuchincommonwithblockchains.Theyrecordsequencesofchangestoacommon,replicatedrecordusingachainedhashstructurethattiestogethereachnewchangewiththecompletepasthistory.Theydonotsolveconsensusproblems,relyingonindividualstodeterminetheoutcomeofcon-flicts. 59. Whiledecentralizedversioncontrolsystems(DVCS)suchasgitcanintheoryoperatewithoutacentralizedserver,theconvenienceofahostthatisalwaysonline


Figure1:AwellwrittencommitmessagefromtheBitcoincorerepos-itoryexplainingthechangesmadeandthereasoningbehindthem.60 Whenaddedtothesystem,thesetofchangesistermeda“com-mit.”Thecommitloggeneratedbyaversioncontrolsystemthuscon-tainsevidenceofthedraftingprocess,bothincodeandhumanreada-bleform.Thelogandcodeareavailabletoalldevelopersonaprojectandmaysometimesbestoredonapubliclyaccessibleserver.

Largefirmsenforcedisciplineoverthiscommitlogsystem:com-mitmessagesmustcapturetheintentandeffectofachange.Insmallerdevelopment outfits, programmers often fail to includemeaningfulcommitmessagesandthelogmaythuspoorlycaptureintent.61

Anotherprominentpracticecommontowell-disciplineddevel-opment teams iscode review.Beforea serveror teamwill acceptacommit,itpassesthroughhumanreview.Thereviewisperformedbyotherteammembers,whocommentonaplatformintegratedwiththe

andauthoritativeensuresthatmostdeploymentsusesuchaserver.Commoncommer-cialserviceprovidersoftheseserversincludeGithub,Gitlab,andBitbucket. 60. https://github.com/bitcoin/bitcoin/commit/eb0b56b19017ab5c16c745e6da39c53126924ed6.patch[https://perma.cc/UL38-WEK3]. 61. Shortformcommitmessagescanrangefromtheinsightful,“Simplifyserializeh’sexceptionhandling,”tothebanal,“fuckfuckholyshitfuckIthinkIfinallyfixedmyshittygitfuck.”ChrisBeams,HowtoWriteaGitCommitMessage,INCEPTIONINNOVATION,https://inceptioninnovation.com/blog/tutorial-5/post/how-to-write-a-git-commit-message-14[https://perma.cc/3Z9G-CPFV];RamiroGómez,ExploringExpressionsofEmotions inGitHubCommitMessages,GEEKSTA(May10,2012),https://geeksta.net/geeklog/exploring-expressions-emotions-github-commit-messages/ [https://perma.cc/NT3D-UPGT].

commit eb0b56b19017ab5c16c745e6da39c53126924ed6 Author: Pieter Wuille <[email protected]> Date: Fri Aug 1 22:57:55 2014 +0200 Simplify serialize.h's exception handling Remove the 'state' and 'exceptmask' from serialize.h's stream implementations, as well as related methods. As exceptmask always included 'failbit', and setstate was always called with bits = failbit, all it did was immediately raise an exception. Get rid of those variables, and replace the setstate with direct exception throwing (which also removes some dead code). As a result, good() is never reached after a failure (there are only 2 calls, one of which is in tests), and can just be replaced by !eof(). fail(), clear(n) and exceptions() are just never called. Delete them.


versioncontrolsystem.Thereviewersassessallelementsofthecom-mit—themessage, thequalityof thecode implementingthechangeand the intentof thechange—andeitheraccept, reject,orsend thecommitbackforfurtherreview.

Onceaprogramisreadytobetested,itmustbeconvertedfromthe high-level language tomachine instructions. The conversion isdonethroughtheaidofacompiler,asecondaryprogramdevelopedforthisexpresspurpose.62Compilers,assoftwarethemselves,areim-perfect.Rarely,theycontainbugsthatcauseamistranslationfromthehigh-levellanguagetothetargetlanguage,furtherobscuringthelinkbetween programmer intent and program. Theymight also be de-signedmaliciouslyornegligently.63

However,ifallgoeswell,theoutputfromthecompilingprocessisbytecode,alow-levelrepresentationofthehigh-levelprogramthatthecomputer canexecutemoredirectly.Toprovidesomeconcretedetail,wenowturntotheblockchainplatformsofinterest.

B. ANINTRODUCTIONTOTHEBLOCKCHAINPLATFORMBlockchains are already the subject of a large legal literature.

Here,wesketchonlythebroadeststrokes.Essentially,theyareplat-formsfordistributeddataprocessingthatcreateincentivesforuserstoagreeon,andstore,outcomesofcomputation.64Ablockchaingen-erally consists of two components: storage structures that track

62. Therearetwoprimarywaysprogramsareexecuted:directlyorthroughaninterpreter.Directly executedprogramsundergomultiple translation (compilation)stepstakingtheprogramfromhuman-readablesourcecode,toless-humanreadableassembly code, tomachine readable instructions. See Introduction to ProgrammingLanguages/Compiled Programs, WIKIBOOKS (Sept. 29, 2019, 12:45 AM), https://en.wikibooks.org/w/index.php?title=Introduction_to_Programming_Languages/Compiled_Programs&oldid=3581047 [https://perma.cc/RLC4-9QYN]. Interpretedprogramsgenerallyundergoapreliminaryformofcompilationbutarenotthemselvesconvertedintomachineinstructions.Rather,aninterpreterexecutesthepreliminaryformbyasetofrulesactingonavirtualmachine.SeeIntroductiontoProgrammingLanguages/Interpreted Programs, WIKIBOOKS (Sept. 27, 2017, 6:49 PM), https://en.wikibooks.org/w/index.php?title=Introduction_to_Programming_Languages/Interpreted_Programs&oldid=3304944[https://perma.cc/4UBZ-FZRZ]. 63. SeeKenThompson,ReflectionsonTrustingTrust,TuringAwardLecture,27COMMC’NSACM761(1984).Soliditycompilers,withtheirrelativeclosenesstoblock-chainbasedassets,makeasimilarlyattractivetargetforattacks.TheSolidityfounda-tionmaintainsa listofknownvulnerabilities.ListofKnownBugs, SOLIDITY,https://solidity.readthedocs.io/en/v0.5.12/bugs.html[https://perma.cc/XM2S-DAY4]. 64. See generally DEFILIPPI&WRIGHT, supranote 33, at 33–49; Theophanis C.Stratopoulos& Jesús Calderón, Introduction to Blockchain for Accounting Students(Aug. 20, 2020) (unpublished manuscript), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3395619 [https://perma.cc/6YP7-NZ8B];DYLANYAGA,PETERMELL,


changesinthesystemandalgorithmsthatensureconsistencyofdataacrossstoragelocations.

Ablockchainidentifiesdatarecordsbyhashes:theoutputofanalgorithmcalleda cryptographichash function.65This easy-to-com-pute equation takes potentially voluminous data as input and pro-ducesashort,fixed-length,output—thehash.Critically,therearenoknownmethodstoeasilyperformthereversecomputation.66Itissim-ilarlyhard to find twodifferent setsofdata thatwhen fed into thefunctionbothproducethesamehash.67Thiscreatesatiebetweentheinput data and the hash. The hash acts as the “name” of the block,uniquelyidentifyingitbyitscontents.

Dataisorganizedintoblocks,witheachblocklinkingtoasetofstoreddata.Eachblockcontainsahash(belowinbold)correspondingtothestoragerecordslinkedtotheblockandthehashofthepreviousblock(shownas“prev”).

Ablock’shashiscomputedbyfeedingthecontentsoftheblockintothehashfunction.Thehashthereforeisstronglytiedtothedatawithintheblock,andalsotiestheblocktothosethatcomebefore.Thispropertyensuresanorderingtotheblocks,creatingthechainaspectofablockchain.Updates(proposedoraccepted)toablockchainaregenerallycontainedwithin “transactions,” small setsofmachine in-structions or transactional records that comprise the data withinblocks.Ablockisassociatedwithtransactiondatathroughanaddi-tionalhashstoredwithintheblock,inourfigurethishashisdepictedasH(data).68

NIKROBY&KARENSCARFONE,NAT’LINST.OFSTANDARDS&TECH.,INTERNALREPORT8202,BLOCKCHAIN TECHNOLOGY OVERVIEW (2018), https://doi.org/10.6028/NIST.IR.8202[https://perma.cc/8E82-6GQR]. 65. Yagaetal.,supranote64,at7–13;Stratopoulos&Calderón,supranote64,at34–40. 66. Note:thecryptographichashfunctionsusedforsystemssuchasblockchainsbearadditionalsecurityproperties.See JONATHANKATZ&YEHUDALINDELL,INTRODUC-TIONTOMODERNCRYPTOGRAPHY128–30(2007). 67. Itwouldtakearound720timestheageoftheuniversetofindacollisionforitshashfunction.SeeAshifShereef,APhysicist’sJourneyintoCrackingtheBitcoin,HACK-ERNOON(Mar.27,2018),https://hackernoon.com/a-physicists-journey-into-cracking-bitcoin-4631e57158cc[https://perma.cc/LTS6-M4BC]. 68. Thehashoverthedata iscomputedwiththeaidofanadditionalstructureknownasaMerkleTree.ThepropertiesofaMerkleTreeallowonetoeasilynoticeifthecontentsofaparticulartransactionhavechangedwithoutcheckingtheentiretyof

H1

prev: H0 H(data)

H2

prev: H1 H(data)

H3

prev: H2 H(data)


Usingachainasapublicandtrustedrecordrequiresamecha-nismtoachieveconsensusonthecontentsoftherecord.Participantsfollowawell-definedsetofrulesthatallowthemtoagreebothonthevalidityofaparticularchain,andtheordering(andacceptability)ofanyproposedupdatestothechain.69Participantsconnecttoonean-otherovertheinternet,formingasubnetworkwithinthelargernet-work.Participantssendandreceivemessagesinasetformattoindi-catetheirresponsestoproposedchangestotheblockchain.

Theblockchainrecordseachupdatethathaseverhappenedtothedataitstores.Byviewingtherecordofchanges,aviewercanac-cessthehistoricalstateofthechain.Thecontentsofablockchainarefixedonlysolongastheparticipantsagreeaboutwhatconstitutestheset of previous transactions. 70 Moreover, while the record of pasttransactionsmaybeunchanged,afuturetransactionmaymodifytheledgertomakethemostrecentcontentsidenticalinsubstancetothecontentsatapriortime(differingrecordsofthepastnotwithstand-ing).

Protocolscommonlyfeaturevalidatorswhovieforthescarceop-portunitytosubmitthenextblocktothenetwork.71Thosethatsuc-ceedataddingablockclaimareward.72Acapontheamountofdatathatcanbestoredinasingleblock,incombinationwiththerestrictedopportunitiestoaddblocks,limitsthenumberoftransactionsthatcanbeprocessedinaunitoftime.73

the data. See Shaan Ray, Merkle Trees, HACKERNOON (Dec. 14, 2017), https://hackernoon.com/merkle-trees-181cb4bc30b4[https://perma.cc/M9CV-GDJW]. 69. Theserulesaretheprotocolgoverningthesystem.SeeGrimmelmann,supranote33,at8. 70. Forks serve as an “ever-present escape valve” frommajority consensuseswithwhichaminorityofblockchainparticipantsdisagree.Haqueetal.,supranote52,at34. 71. Insuchprotocols,asubspeciesofvalidators,miners,arealsogiventheoppor-tunitytomintanewunitofthecorrespondingcryptocurrency,updatingtheledgertograntthemownershipoverthenewcoin.Id.at149. 72. Opportunitiestoaddblocksareallocatedaccordingtotheconsensusscheme,thetwomostpopularofthesebeingProof-of-Work,whichprobabilisticallyallocatesopportunities based on amount of computational effort spent, and Proof-of-Stakewhichprobabilisticallyallocatesopportunitiesinproportiontoaminer’sstakedcryp-toasset. 73. Dubbedthescalingproblem,maximizingtransactionthroughputisahighlyactiveareaofresearch.Proposedsolutions includemovingcertain transactionsoff-chainandothernovelprotocoldesigns.See,e.g.,ConnorBlenkinsop,Blockchain’sScal-ing Problem, Explained, COINTELEGRAPH (Aug. 22, 2018), https://cointelegraph.com/explained/blockchains-scaling-problem-explained[https://perma.cc/PC48-3H75](givinganoverallexplanationofthescalingproblemandpresentingoff-chaintransac-tionsasapossiblesolution).


Anindividualwishingtotransactviathenetworksubmitstheirproposedtransactiontothepeer-to-peernetworkandindicateshowmuchtheyarewillingtopay(incryptocurrency)tohavetheirtrans-actionprocessed.74Validatorswillprocesssuchuser-submittedtrans-actions,claimingassociatedprocessingfees.75Thesizeofthefeeisin-verselycorrelatedwithhowlongthenetworkwilltaketoprocessthetransaction,asalargerfeemorestronglyincentivizesvalidatorstoin-cludethattransactionwithinthenextblock.76

Blockchainledgerentriesareassociatedwithidentifiersknownas addresses, which determine who controls particular ledger en-tries.77Digitalkeysthatgrantcontroloverassets(ordata)storedinagivensetofentriesarestoredin“wallets,”whicharefilesorprogramscontainingthesekeys.Colloquially,someequatecontrolwithowner-ship,whichiswhyyou’llhearaboutawallet’s“owners.”Ofcourse,ac-cessandtheabilitytomodifydoesn’tnecessarilymeanownership,un-less that apartment key you gave your dog walker was moresignificantthanyouthought.Atitscore,acryptoassetisnothingmorethananentryintheledger,securedwithasetoffancytoolsthatmeanonlythosepeoplewhoknowtheaccessdigitscanchangeitscharac-teristics.

Finally,publicblockchainsaretypicallydesignedsothatvalida-torsorotheruserscanunilaterallyjoinandleavethenetwork.Per-missionedblockchainstakea fundamentallydifferentapproach,ad-mitting only preapproved validators to the consensus formingprocess.Whilepotentiallyusefulforaconsortiumofknownparties,or for usewithin an individual business, permissioned blockchains

74. Insomesystems,portionsofthetransactionfeemaybeoptional,butthismayresultinthenetworkfailingtoeverprocessatransaction. 75. Cf.RebeccaBratspies,CryptocurrenciesandtheMythoftheTrustlessTransac-tion,25MICH.TECH.L.REV.1,20–21(2018)(indicatingthatindividualtransactionfeesincreaseasthenetworkloadincreases,leadingtotransactionfeesover$55dollarspertransactionatonepointforBitcointransactions). 76. Id.; seealsoFILIPLUNDIN&FREDRIKRAHM, EVALUATINGRISKANDREWARDFORVALIDATORSINACRYPTOCURRENCYPROOF-OF-STAKENETWORK11–12(2018)(explainingthe inverse relationshipbetweenvalidators incentivizationand transactionprocessrisk). 77. Thesearenormallyderivedfromusers’cryptographickeysortheresultofahashfunctionappliedtorelevantdata.


relyonusers’trustinthelistvalidators,preapprovedbytheentityop-eratingtheblockchain.78Thislimitstheiruseinthelow-trustmarket-place for which transactional scripts are most often touted. 79 Wethereforefocusouranalysisonthe“permissionless”ecosystem.80

C. ETHEREUMANDSCRIPTINGBitcoinisanawkwardcommercialplatform,mostlyusefulforre-

cording and facilitating the flow of bitcoin transactions.81Realizingtheutilityofperformingmorecomplexoperationsonablockchain,a

78. See Sklaroff, supra note19, at276–77n.50 (“[T]he advantagesof [permis-sioned]blockchainsexistintandemwithrelianceonofflineidentity....[P]articipantson permissioned blockchains are typically bound by off-chain, real-world agree-ments[.]”(internalquotationsomitted)). 79. MostcommentersagreewithIanKane,COOofTERNIO,inthinkingthat“per-mission[ed]blockchainshavetheirplacespecifically inanenterpriseenvironment.”ShehryarHasan,PrivateBlockchainsAreBullshit,ExpertSays,BLOCKPUBLISHER(Jan.25,2019),https://blockpublisher.com/private-blockchains-are-bullshit-expert-says[https://perma.cc/9JDU-DDMC];seealsoJustinO’Connell,WhatAretheUseCasesforPrivate Blockchains? The Experts Weigh in, BITCOINMAG. (June 20, 2016), https://bitcoinmagazine.com/articles/what-are-the-use-cases-for-private-blockchains-the-experts-weigh-in-1466440884 [https://perma.cc/DT5Y-ENTJ] (finding thevalueofprivateblockchains is in theirability to “provide interestingopportunities forbusi-nessestoleverage[their]trustlessandtransparentfoundationforinternalandbusi-ness-to-businessusecases”);cf.EUR.UNIONBLOCKCHAINOBSERVATORY&F.,BLOCKCHAINAND THE GDPR 16 (2018), https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf [https://perma.cc/74D2-QF2X] (suggesting thatpermissionedblockchainsmightneedpermissionlessblockchainsinordertobeglob-allyinteroperable). 80. Thecomputerscienceliteratureexploresavarietyofscenariosinwhichnet-workparticipantshavegreaterorlessertrustinotherparticipants.Theseworksoc-cupythespacebetweenassuminganoverwhelmingmajorityofparticipantsarehon-estandassumingpreexisting trustedrelationshipswithothernetworkparticipants(permissionedmodels).Suchconstituteamiddlegroundbetweenpermissionedandpermissionless approaches to distributed computation, and generally represent atrade-offbetweenscalabilityandtrust.Whilelaudableeffortsreducetheleveloftrustthatitisnecessarytosacrificeforsubstantialgainsinscalability,thesesubtletiesarenotthefocusofourwork.Fortreatmentofatechniqueforscalingblockchaincompu-tationsand foradiscussiononotherapproaches, seeHarryKalodner,StevenGold-feder,XiaoqiChen,S.MatthewWeinberg&EdwardW.Felten,Arbitrum:Scalable,Pri-vateSmartContracts,27PROC.USENIXSEC.SYMP.1353,1353(2018). 81. WhileBitcoincanbescriptedtoperformsophisticatedtasks,doingsoischal-lenging.Coderswishing todosomustworkagainst the limited functionalityof theplatform. JacquiFrank&SaraSilverstein,VitalikButerinCreatedOneof theWorld’sLargestCryptocurrenciesinHisEarlyTwenties—Here’sHowHeDidItandWhy,BUS.IN-SIDER (Feb. 13, 2019, 6:22 AM), https://www.businessinsider.com/vitalik-buterin-created-ethereum-one-of-the-worlds-three-largest-cryptocurrencies-2019-1[https://perma.cc/TD7K-XJRN](relayingButerin’sbeliefthatBitcoinisalimitedfunc-tionalitymedium).


programmer named Vitalik Buterin proposed and developedEthereum,ablockchainbasedcomputingplatform,withanassociatedcryptocurrency,Ether.82Theprotocol’sexplicitgoalwastopermiten-hancedscripting—morecomplicatedlogicaloperationsthanrecord-ingownership—onablockchain.EthereumusestheEthereumVirtualMachine(EVM)—asoftwaresystemwithpredefinedrulesandopera-tions,whichyoucanthinkofasasimulatedcomputer.83

TheEthereumVirtualMachineenablesprogramstostoredataontheEthereumblockchainanddefinedhowtheoriginaldatacouldbemodified.84 By the nature of the blockchain, all data is public andthereforereplicable;theEVM,however,allowsdeveloperstorestricthowthedatamaybemodified.Storageandcontrol,inturn,createdtheplatformfortransactionalscripts.ScriptsareprogramsoperatingonEthereum,whichwhenexecuted(or“called”)affecttheledgerit-self.

82. Onthevariouskindsofcryptocurrenciesandtheirrelationshiptomonetarypolicy,seeMaxRaskin,FahadSaleh&DavidYermack,HowDoPrivateDigitalCurren-ciesAffectGovernmentPolicy?(Nat’lBureauofEcon.Rsch.,WorkingPaperNo.26219,2020). 83. Kolber,supranote25.Solidity,themostcommonlanguageusedtoprogramEthereumtransactionalscriptsisTuringcomplete,meaningitcanintheoryperformanyprogram.Thisislimitedonlybytherestrictionstheprotocolplacesoncomplexitytomitigatedenialofserviceattacks.SeeNiharikaSingh,TuringCompletenessandtheEthereumBlockchain,HACKERNOON(Feb.16,2019),https://hackernoon.com/turing-completeness-and-the-ethereum-blockchain-c5a93b865c1a [https://perma.cc/7EU5-EVXP].TheEVMdrawsitsinspirationfromcommonmodelsofcomputerarchitecturewithmodificationsthatensuretheintegrityofscripts’code.Whilethisarchitectureisforeigntothecomputersonwhichthesoftwareruns,itissimulatedbywayofthevir-tual machine. See Preethi Kasireddy, How Does Ethereum Work, Anyway?, MEDIUM(Sept. 27, 2017), https://medium.com/@preethikasireddy/how-does-ethereum-work-anyway-22d1df506369[https://perma.cc/5G3V-MCDM]. 84. ForamorecompletediscussiononthelimitsoftheBitcoinmodel,seeCon-senSys,ThoughtsonUTXObyVitalikButerin(Co-FounderofEthereum),MEDIUM(Mar.9, 2016), https://medium.com/@ConsenSys/thoughts-on-utxo-by-vitalik-buterin-2bb782c67e53[https://perma.cc/78P6-GRDJ].Asagentsareabletomanipulatetherecordsstoredontheblockchain,transactionalscriptsareabletotransfervaluecon-tingentonthoserecords.Thisisthetruesourceoftheirutilityoverothertypesofpro-gramsthatinteractwithdistributeddatabases:thetightintegrationofanassetstoragemechanism(cryptocurrenciesandcryptoassets)withaprogrammaticwaytotransferownership(transactionalscripts).Thecouplingofthetwoensuresthatthevalueoftheassetisconditionalonplayingbytherulesofthegame—whichinturnprovidescertainassurancesthatthecontractswillbeexecuted.


TheinstructionsetprovidedbyEthereumisaspowerfulandex-pressiveasanyotherprogramming language.85If limitsarenot im-posed on transactional script running time and resource require-ments, a malicious actor could force validators to perform neverendingcomputations,haltingallusefulworkonthechain.Validatorsmust also be incentivized to spend their computational resourcesevaluatingscripts.Ethereumthereforeimposeswhatwetermacom-plexitytax:transactionfeesproportionaltothecomputationrequiredbyatransaction.86Thisfeeisknownasgasandispaidinfractionalamountsofether.87TheEthereumprotocolspecifiesahardlimitonhowmuchgasmaybeconsumedbyasingletransaction.88Thus,theamount of gaspaidper transaction isdeterminedby theEthereumprotocol,whiletheexchangerateisdeterminedbytheuser.Theusermustalsopre-paygasthatintheirestimationwillsufficientlycovercosts. If thispre-payment is too low,andthere is insufficientgastocompletelyexecutethescript,thescriptwillterminatewithoutare-fund.89

Thereare70differentoperationsunderstoodbytheEVM,eachofwhichisassociatedwithacost,basedontheamountoftimeandenergyittakesavalidatortoexecutetheoperation.Hereareonlyafew,withtheirassociatedcosts.

85. Ethereum scripts require special purpose languages and tools to deploy.Thereisactiveresearchindesigninglanguagesthatfacilitatebetterdevelopmentprac-tices.SeegenerallyMudabbirKaleem,AnastasiaMavridou&AronLaszka,Vyper:ASe-curityComparisonwithSolidityBasedonCommonVulnerabilities,2NDCONF.ONBLOCK-CHAINRSCH.&APPLICATIONSFORINNOVATIVENETWORKS&SERVS.,June14,2020. 86. SeeBrunoSkvorc,Ethereum:HowTransactionCostsAreCalculated,SITEPOINT(May 24, 2018), https://www.sitepoint.com/ethereum-transaction-costs [https://perma.cc/NAU4-RTYJ] (describing the proportionality of gas costs in Ethereum’sstructure). 87. ForadetailedexplanationoftheinternalmechanismsofEthereum,seegen-erallyKasireddy,supranote83. 88. Atthetimeofwriting,thiswassetatapproximately8milliongas(withanupcomingchangeto10milliongas),equivalenttoapproximately$2USDatagaspriceof1Gwei(billionthsofanETH). 89. Existingliteraturedescribesthecomplexitytaxingeneraltermswithoutelab-oratingonitsexactcosts.See,e.g.,ThibaultSchrepel,IsBlockchaintheDeathofAnti-trustLaw?TheBlockchainAntitrustParadox,3GEO.L.TECH.REV.281,292(2019)(not-ing thatEthereumrewardssuccessfulminerswith transaction fees);Sklaroff,supranote19,at293n.139(describingthe“supplyanddemanddynamic”createdanditspolicingeffectson“buggyorinfinitelyrecursivecode”);id.at294n.143(“[T]hissolu-tionwouldbeprohibitivelyexpensivefromatransactionfeeperspective....”).


OperationName

MaxCost(Gas)

Cost($)/1millionoperations90 Effect

ADD 3 ~$30 Addstwonumberstogether

MUL 5 ~$50 Multipliestwonum-bers

SSLOAD 200 ~$2000Loadasinglenum-berfrompermanentstorage91

SSTORE 20000 ~$200,000Storeasinglenum-berintopermanentstorage

Themostexpensiveoperation,SSTORE,updatesdatathatconsti-

tutetheEthereumledger’smemory.92Asitaddstothelong-termcostofstoringtheledger,theprotocolimposesasubstantialup-frontfee.

Datastorageonapublicledgerformsakeycomponentofmanyproposedblockchainuse-cases,93butitisfinanciallycostlyincompar-isontogeneralpurposestorage(whichisavailablefromcommercialprovidersonayearlybasisatapproximatelyone-ten-millionthofthecostofEthereumbasedstorage).94Similarly,theprocessorinatypicallaptop performs on the order of billions of operations per second,

90. Thesefiguresarecalculatedatthedefaultgaspriceof3 × 10!"gas/ETHandanexchangerateof$295USD/ETHandareroundeduptoonesignificantfigure.SeeDanny Ryan,Calculating Costs in Ethereum Contracts, HACKERNOON (Sept. 6, 2017),https://hackernoon.com/ether-purchase-power-df40a38c5a2f[https://perma.cc/6SUH-ADGR]. 91. ThemaximumvalueonwhichtheEVMoperatesoninasingleoperationis2^256.Outsideof technical reasons for this choice, this limitprevents coders fromstoringalltheirdatarepresentedasonehugenumberinanattempttopaylowergascosts. 92. SeeTingChen,XiaqiLi,XiapuLuo&XiaosongZhang,Under-OptimizedSmartContractsDevourYourMoney,2017IEEE24THINT’LCONF.ONSOFTWAREANALYSIS,EVO-LUTION&REENGINEERING,Mar.11,2017(indicatingthatSSTOREisparticularlyexpen-siveamongsmartcontractoperationsintheEthereumVirtualMachine). 93. Evenforsystemsthatpurporttostorethebulkofdataoff-chain,thecostofstoring references to the off-chain data necessitates a cost-benefit approach to as-sessingtheviabilityofablockchainbasedsolution.SeeMEDICALCHAIN,WHITEPAPER2.1,at1,14(2018),https://medicalchain.com/Medicalchain-Whitepaper-EN.pdf[https://perma.cc/KSC8-AUS4](observingthatwhilerecordsthemselvesarestoredoffchain,eachupdatetoarecordnecessitatesstoringanewvalueontheblockchain);seealsoARMANJABBARI&PHILIPKAMINSKY,BLOCKCHAINANDSUPPLYCHAINMANAGEMENT(2018),http://www.mhi.org/downloads/learning/cicmhe/blockchain-and-supply-chain-management.pdf [https://perma.cc/925L-X9R7] (envisioning large-scale supply-chaindatastorageontheblockchain). 94. SeeAmazonS3Pricing,AWS,https://aws.amazon.com/s3/pricing [https://perma.cc/4VHU-77H6].


whichwouldequatetohundredsofdollars’worthofcomputationsonEthereum.95Gascostsdon’tstemfromtheregularunitcostofstoringachunkofdataorperformingacomputation.96Theyareartifactsofthereplicatedworkandstorageusedtomaintainandvalidateconsen-sus.97

This complexity taxhas limited,but real implications.Wecon-cedethatneitherstoragenorcomplexprogrammingarewhatblock-chainsarefor,andsuchspecialpurposetoolsshouldn’tbeevaluatedincomparisonwithtraditionalcomputers.Butit’simportanttorecog-nizethatforsomeproposedusesoftransactionalscripts—suchasen-codingsemanticframeworkslikediscretion,goodfaith,andbestef-forts—publicblockchainsolutionsincursignificantcosts.98

Theresultofsuchcostsisthatitispracticallyimpossibletorunsomekindsofscriptsinpublic.Manyreal-worldcomputationaltasks(searchingandsortinglargeamountsofdata,machinelearning,opti-mization) require non-trivial amounts of computational powerand/ordatastorage.Forexample,thoughitwouldbepotentiallyuse-fultowriteascriptthatusedanalgorithmtodetermineifaworkerhadusedherbestefforts,andthenpayherforhertime,thatkindofcomputationisnotpracticalotherthanbydelegatingthecomputationtoanagent“off-chain.”99Currentscriptsthusgenerallycontainonly

95. Somesitesindicatethatmodernprocessorsprocessoperationsatthetensofbillionsoffloating-pointoperationspersecond.Onthescaleofourillustrations,thatiscomparablewiththebasicarithmeticoperationsoftheEVM.See,e.g.,CPUPerfor-mance, ASTEROIDS HOME, https://asteroidsathome.net/boinc/cpu_list.php [https://perma.cc/39EF-LGL6]. 96. NotedblockchainresearcherEminGünSirercorrectlynotesthatcostsofstor-ing the blockchain itself are negligible on a per node basis. Emin Gün Sirer(@el33th4xor),TWITTER(Nov.29,2019,1:13PM),https://twitter.com/el33th4xor/status/1200477778463907841[https://perma.cc/2HDN-CCL5].Ourconcernishowthiscostismagnifiedbycurrentconsensusprotocols. 97. TheseparticularcostsaredistinctfromthecomputationalcostincurredbyProof-of-Work style consensus algorithms that establish consensus in the first in-stance.Rather, theneed to check thevalidityof theoutput fromcomputationsandmaintaincopiesoftheoutput(toallowfailurerecovery),imposeacostthatispaidexantebyataxonexpensivecomputations. 98. WhileSklaroffnotesthepotentialhighexantecostofdevelopingcontractsflexibleenoughtoincorporatelegalframeworks,weherequantifythosecosts,focusontheongoingtaxesimposedbytheblockchainparadigm,andexpandoncodingreal-itiesthatfurtherdrivedevelopmentcosts.Sklaroff,supranote19,at279. 99. Off-chaintransactionsarethosethatmovevaluefromtheblockchaintobeprocessedexternally.Suchtransactionsmayeventuallybereconciledandintegratedbackontothechain.SeeOff-ChainTransactions,BITCOINWIKI(June18,2019,4:43AM),https://en.bitcoin.it/wiki/Off-Chain_Transactions[https://perma.cc/9YD3-VWLQ].


thesimplestofif-thentypelogic.100Ausefulanalysisofthelegalsig-nificanceofourscriptsrequiresaclear-eyedevaluationastothelikelyfutureusesandlimitationsoftheform.

There is a robust technical literature exploringmechanisms toavoidthecomplexitytax.Butmostproposalstomitigatecoststrade-offbetweenthesecurityandtransparencyoftheon-chainmodel,andtheefficiencyattainableunderframeworksthatassumemoreonthepartofotherprotocolparticipants.101Whiletherearesomeimprove-mentsthatcanbemadetoefficientlyscaleblockchainswithoutcom-promisingthepromiseoftrulytrustlessexchange,102themosteffec-tive solutionswill inevitably delegate the bulk of computation andstoragetosmallersubsetsofthenetworkoreventonon-participantsoffchain.103

Thecomplexitytaxthusproducesarealhurdleforcertainkindsof complex contracting. There are known techniques to reduce thecostofmostcomputations,butfindingawaytominimizeblockchaindatastoragecostswhileensuringthedataisaccessibleondemandisanopenproblem.104Firmsconsideringoff-chainsolutionsmustthere-

100. Thequarrelsomereadermaynotethatallimperativeparadigmprogrammingadherestoanif-thenparadigm.Wemerelynotethepaucityofsophisticationinscriptscurrentlydeployed.Forabriefdiscussionondifferentprogrammingparadigms,seeJing Chen, A Brief Survey of “Programming Paradigms,” MEDIUM (Apr. 11, 2019),https://medium.com/@jingchenjc2019/a-brief-survey-of-programming-paradigms-207543a84e2b[https://perma.cc/V3WE-HECF]. 101. For an analysis of various designs facilitating off-chain computation by asmallernumberofnodesandreducingthecostimposedbylargescalereplicationofwork,seeLewisGudgeon,PedroMoreno-Sanchez,StefanieRoos,PatrickMcCorry&Arthur Gervais, SoK: Layer-Two Blockchain Protocols, https://eprint.iacr.org/2019/360.pdf[https://perma.cc/N9MZ-CK3U].SeealsoKyleCroman,ChristianDecker,IttayEyal,AdemEfeGencer,AriJuels,AhmedKosba,AndrewMiller,PrateekSaxena,ElaineShi,EminGünSirer,DawnSong&RogerWattenhofer,OnScalingDecentralizedBlock-chains,inFINANCIALCRYPTOGRAPHYANDDATASECURITY106,106–10(JeremyClark,Sa-rahMeiklejohn,PeterY.A.Ryan,DanWallach,MichaelBrenner&KurtRohloffeds.,2016). 102. Oneproposalthatsucceedsinmaintainingatrustlessnetworkwhileimprov-ingsubstantiallyonscalingistheAvalancheProtocol,whichproposesanalternativetoproof-of-work.SeeTeamRocket,MaofanYin,KevinSekniq,RobbertVanRenesse&EminGünSirer,ScalableandProbabilisticLeaderlessBFTConsensusThroughMeta-stability(Aug.24,2020)(unpublishedmanuscript),ARXIV:1906.08936.Howeverevenprotocols thatminimize computational costs such as Avalanche and Arbitrum stilldon’trealizethepromiseofeffectivelyfreetransactionalscripts.SeeKalodneretal.,supranote80,at1353–54(givingadescriptionofArbitrum). 103. ImportantlyforouranalysisofbuggyscriptsinPartIII,infra,evenwhereoff-chainscalingtechniquesareadopted,thecoderemainspubliclyaccessible. 104. SeeCromanetal.,supranote101,at108–10.


foreaskwhetherthegameisworththecandle.Thatis,publicblock-chains have important virtues: primarily, they enable trustless ex-change between pseudo-anonymous counterparties. Blockchain-basedalternativesmaynothavethosevirtues.

D. CODINGONETHEREUMWenowreturntoourcoders’workandfocusonhowtheywrite

transactionalscripts.Let’ssupposethatateamofcodershasauthoredhigh-level code and run that code through the compiler, producingbytecodethatcannowbeexecutedontheEVM.

Iftheyareresponsible,theymustnowtesttheprogram;onlyaf-tertestingwillitbedeployed.Duringdevelopmentprogrammerswillgothroughmany,manycyclesofcoding,compilingandtesting,find-ingbugsandareasthatneedimprovement.105

105. Cf.RichButkevic,TheLifecycleofaSoftwareBug,OPENSOURCE(June25,2018),https://opensource.com/article/18/6/life-cycle-software-bug[https://perma.cc/2FMU-YVKE](describinghowdevelopmentteamsfixbugs).


Tomakethediscussionmoreconcrete,wepresenttheStagedContractscript,writteninSolidity,andexplainhowitisprocessedbythevir-tualmachine.Itillustratesasimpledeal:theownerofthescriptagreesto pay forwork in increments of 1ETH as the recipient completesstagesofsomeoff-chainjob.106Therecipientcanclaimpaymentforeachstagewithouttheinterventionoftheowneruptothetotalvalueofthecontract.

106. Notdepictedisamechanismfortheownertoincreasetheamountofpaymentavailableovertime.

Figure2:TransactionalScriptinSolidity


StagedContract also allows the recipient to offer a discountthroughthediscount()functionwhichtheownercanapproveviatheapproveDiscount()function.Illustrativeofthecomplexitytax,attimeofwriting,itcost$1.30todeploythescriptand$0.08toexecutethecompleteStage() function even once. (Imagine using this script forpaymentofhundredsofthousandsofgigworkers.)

Likemostcomputerprograms,Solidityrequirestheavailabilityof fundamentalcomputationalstructures:107basicarithmeticopera-tions, operations to access andmodify some form ofmemory (the“state”), away to input/outputdata, and crucially, amechanism tochoosebetweendifferentpossibleexecutionpathsbasedonthestateofthecomputer.ThesearethekeyelementsimplementedbytheEVM.

Eventhisverysimplescriptrequiresexpertisetoconceiveof,im-plementanddeploy.Itrequiresstillmoreexpertisetorecognizethatitcontainsaseriousbug.Notingthat ifan integergrowsorshrinksbeyond the limit set by the EVM (overflow and underflow respec-tively),theintegerresets,asneakyrecipientcouldmountthefollow-ingattack:108

1. Therecipientoffersadiscountthatreducesthecostofthejob

tonothing,whichthegreedyownerreadilyaccepts.

2. Therecipientoffersanadditionaldiscountinadvanceoffu-tureworkandwaitsuntiljustbeforetheownerapprovesit.

3. The recipient quickly engorges their discount to themaxi-mumsizepermittedbytheEVM.

4. Theunsuspectingowner fails tonotice the changeandap-provestheoversizeddiscount,reducingthesumavailableforpaymentsomuchthatitunderflows—resettingtheamountavailableforpaymenttothemaximumvaluepermittedbytheEVM.

5. The recipient now executes completeStage() repeatedly,emptying the script of its Ether, without running into thelimit.

107. These,alongwiththeabilitytoexecuteloops,arealsotheelementsthatper-mittheEVMtosupportaTuringcompletelanguage.SeeSingh,supranote83. 108. Whilethescenarioisadmittedlycontrived,itservestoillustratethedifficultyofwritingcorrectcode.


ThisisbutoneofmanywaysinwhichthespecificsoftheEVMcantripupotherwisecode-literateindividuals.

Theparticularproblemforscriptsisthatwhentheyarealreadyonblockchainandpartieshavebeguncommittingassets,theycan’tbeeasily modified (at least without pushing out a unilateral updatewhichmightcauseseriousreputationalblowback).109Therefore,wisedeveloperswouldfirsttryitouton“testnets,”smallscaleblockchainsreplicatingthebehavioroftheirlargersiblings,butwithoutthegoalof preserving immutability or value long term.110Testnets are alsousedtotrialchangestothecoreprotocolofablockchain,withoutim-pactingexistingusers.111Testnettransactionsaregenerallyfree.112

Whenadeveloperisreadytotesttheirtransactionalscript,eitherontherealnetworkoronthetestnet,theysubmitaspecialtransactiontothenetwork.Thetransactionincludesthebytecodeofthetransac-tionalscript,anamountofgastopayforthedeployment,andawalletfromwhichthegaswillbetransferredout.Thetransactionalscriptisthenstoredontheblockchain,anditscomponentfunctionsandstor-agecanbeaccessed.

Modern programming languages, including Solidity and theEthereumEVM instructionset, separatesegmentsof code thatper-formdiscreteoperationsinto“functions,”eachofwhichrequireade-veloperusingthefunctiontoprovidecertaininputs.Onceafunctionfinishesexecuting,itproducesanoutputwhichisprovidedtoeithertheuseror,ininstanceswhereafunctionisexecuted(“called”)withinanotherfunction(the“caller”),theoutputisavailableforusewithinthecaller.Tocallafunction,thecallermustalsoincludegassufficienttopayfortheexecutionofthecallee(andinarecursivefashionforanyfunctionsthecalleemightcall).

109. SeeAndrewChow,CommenttoWhyIsItImpossibletoModifyaTransactioninthe Blockchain, STACKEXCHANGE: BITCOIN (Mar. 30, 2018, 5:02 PM), https://bitcoin.stackexchange.com/questions/73229/why-is-it-impossible-to-modify-a-transaction-in-the-blockchain[https://perma.cc/H65D-AGLA](“Overall,modifyingtransactionsalreadyintheblockchainrequiresreminingblocks,andafteratransactionalreadyhasafewconfirmations,doingthisrequiresimmenseamountsofcomputingpower.”). 110. Testnet, BITCOIN WIKI (Apr. 14, 2020), https://en.bitcoin.it/wiki/Testnet[https://perma.cc/5743-J2KZ]. 111. SeeMyEtherWallet,Understanding Blockchain Changes: Testnets andMain-nets, MEDIUM (May 26, 2019), https://medium.com/myetherwallet/understanding-blockchain-changes-testnets-and-mainnets-c2171a8e835f [https://perma.cc/C5ZL-J7DN](indicatingthepotentialusesoftestnets). 112. Seeid.(“[I]nEthereum’scase,thegaspaymentfortestnetcomputationsdoesnotcostany‘real’money....”).


Thisallassumesthecodershaveimplementedeachstepofthisprocesscorrectly.But,astheStagedContractexampleillustrates,er-rorscanbesubtle.Theresimplyisnofoolproofmethodtogeneratesoftwarethatmatchesitsinitialspecification.113Further,evenassoft-wareispatchedtoremoveoldbugsmanynewbugscreepin,andsoft-waredoesnotconvergetoabug-freestate.114

Penetration testing and security auditing are other importantcomponentsofsophisticatedsoftwaredevelopment.Specializedsecu-rityengineersattempttofindandexploitsecurityflawsandassessthequalityofcodeasrelevant tosecurity.115However, security failuresbedevileventhebestauditedsoftwarepackages.116Therealtestforcode, particularly when designed to operate adversarial environ-ments,comesonlywhenitisdeployedandused.Itisoftenonlywhenthecodemeetstheroadthatdevelopersfindthebulkofbugs,improv-ingontheircodebyconstant iteration.117Eventhen,vulnerabilitiesmayremainlatentforlongperiodsoftimepriortodiscovery.118

113. SeeWenboGuo,DongliangMu,XinyuXing,MinDu&DawnSong,DEEPVSA:FacilitatingValue-SetAnalysiswithDeepLearningforPostmortemProgramAnalysis,28PROC.USENIXSEC.SYMP.1787,1787(2019)(remarkingontheinevitabilityofflawsinsoftware). 114. SeeSaenderA.Clark,TheSoftwareVulnerabilityEcosystem:SoftwareDevel-opmentintheContextofAdversarialBehavior(2017)(Ph.D.dissertation,Universityof Pennsylvania), https://repository.upenn.edu/cgi/viewcontent.cgi?article=4019&context=edissertations[https://perma.cc/G87G-JWR6]. 115. Duetothelevelofspecializationrequired,suchengineersortestersarecon-tractedfromboutiquefirms,withfeescomparabletothoseofhigh-endlawyers.Thisputsmanywell-performing service firmsoutside theprice rangeof themajorityoftransactionalscriptdevelopers.Seeekotysh,HowMuchDoesaSmartContractAuditCost?, REDDIT (July 24, 2017, 11:03 PM), https://www.reddit.com/r/ethdev/com-ments/6pdgvd/how_much_does_a_smart_contract_audit_cost[https://perma.cc/GL7T-ATHS]. 116. OpenSSL,oneofthemostscrutinizedsoftwarepackages(andwhichunderliesmuchofthecryptographyusedtosecuretheInternet),hasdisclosedoverelevenhigh-severityvulnerabilitiessince2014,despitehavingbeencreatedpriorto2002.SeeVul-nerabilities, OPENSSL, https://www.openssl.org/news/vulnerabilities.html [https://perma.cc/97CK-XMD5]. 117. Someexpertsestimatethedensityofbugsis10to50bugsperKLOC(1000lines of code). EvenMicrosoftwith its sophisticateddevelopmentpractices still re-leasescodewithabugdensityof~0.5perKLOC.Thisisequivalenttotens-of-thou-sandsofbugsinamodernoperatingsystemcompiledfromtens-of-millionsoflinesofcode.SeeSTEVEMCCONNELL,CODECOMPLETE:APRACTICALHANDBOOKOFSOFTWARECON-STRUCTION 652 tbl.27-1 (2d ed. 2004), http://aroma.vn/web/wp-content/uploads/2016/11/code-complete-2nd-edition-v413hav.pdf[https://perma.cc/9QXQ-NQVL](showingtherangeofdefectdensities). 118. SeeClark,supranote114,at74–75.


These characteristics of the vulnerability life cycle pose chal-lenges fora transactional scriptdeveloper,where thereare limitedopportunitiesforsafetestingonaliveblockchainorpatchingexpost.Worse,thesemanticsoftheSoliditycodinglanguageinwhichalmostall transactional scriptsarewrittenare substantiallydifferent fromtraditionalsoftwaredevelopment,leadingtooverconfidentdevelop-ersignoringpotentialpitfallssuchasreentrancyvulnerabilitiesthatarenotpresentinmostcodingenvironments.119

Theneedforsecurityalsoimposesasecond,moremetaphysical“complexitytax:”themorecomplexatransactionalscript,theharderit istopreserveboththecoder’s intention(andtheintentionofthepersonhiringthecoderandsoon),whilenotcreatinganyinsecurities;moredevelopment timemustbeexpendedtoshoreup thecode.120Thebiggerthetransactionalscriptship,themoreeffortmustbeex-pendedtopatchtheleaks.

E. SUMMARYArecentsurveyofscriptdeveloperssuggeststhatcodersarebe-

coming increasingly aware of the problematic real-world conse-quences of howSolidity interactswithdevelopment.121Developers,manyofwhomwereworkingforfree,122hadideologicalmotives:to

119. Reentrancyvulnerabilitiesareaclassofflawwhereafunctioncallsanotherfunctionthatisexternaltothegivenscript,andthatcalleeunexpectedlycallstheorig-inal functionbeforetheoriginal functionhasfinishedexecuting.SeeKnownAttacks,GITHUB, https://consensys.github.io/smart-contract-best-practices/known_attacks[https://perma.cc/FFR3-EWAU].Programminglanguageconsiderationsthatcontrib-utetothedifficultyofdevelopingsecureandcorrectSoliditycodeincludethepotentialfor“integeroverflow”(wherethesizeofnumbersexceedsthespaceavailabletostorethem),alackofsupportfordecimalnumbersandincompleteformalspecificationofthelanguage.Seethrowies11,WhatAretheMainSecurityProblemsAssociatedwithSo-lidityLanguage?,REDDIT(Jan.18,2018,5:44PM),https://www.reddit.com/r/ethdev/comments/7rdocn/what_are_the_main_security_problems_associated[https://perma.cc/V9R9-XZ5G]. 120. SeeYongheeShin,AndrewMeneely,LaurieWilliams&JasonA.Osborne,Eval-uatingComplexity,CodeChurn,andDeveloperActivityMetricsasIndicatorsofSoftwareVulnerabilities,37IEEETRANSACTIONSONSOFTWAREENG’G772,772(2010)(expoundingonthedifficultiesoffindingvulnerabilitiesincode). 121. SeeAmiangshuBosu,Anindya Iqbal,RifatShahriyar&ParthaChakraborty,UnderstandingtheMotivations,ChallengesandNeedsofBlockchainSoftwareDevelop-ers:ASurvey,24EMPIRICALSOFTWAREENG’G2636,2652(2019). 122. Id.at2644(indicatingthatdevelopersreportedtheywerenotdirectlycom-pensated).


“createadecentralizedcurrencythatcannotbemanipulatedbyacen-tralauthority.”123Thatis,“removingpowerfrombanksandgovern-ments.”124Theseweremotivated,committed,blockchainproponents.

Butthesurveyrespondentsnotedthattheabove-mentionedse-curity concerns and high stakesmade coding difficult. “Inmost ...[non-blockchain projects]when a bug appears, itwill be fixed andsoon forgotten. But in blockchain projects some bugs can be verycostlyandneverforgotten.”125Similarly,somecomplainedthaterro-neous ledgerentriesare“almost impossible” to fix.126Theseuniqueblockchain problems, when coupled with the decentralized VM onwhichsoftwareoperates,“makesitdifficulttobuildrobustsoftware.Unreliableconnections,unexpectedlatency,andmaliciousnodescre-ateahostileproductionenvironment.”127Therearealsofewproduc-tion-readytoolstoworkthrougherrorsinscripts,particularlya“reli-ableanduser-friendlydecompiler.”128

Insum:it’ssimplyimpossibletocreateperfectsoftwarethefirsttimethrough,andexistingtoolstopre-testscriptsbeforedeploymentareinadequateorextremelycostly.IrreduciblefeaturesofEthereum(andotherblockchainsdesignedusing the same logics)will rendertransactionalscriptsbuggy.Onerecentstudy,lookingonlyattheverysimpleecosystemofscriptsonEthereum,found100errorsper1000linesofcode.129Thiserrorratelikelywillincreaseasdeveloperspur-sueever-more-ambitiousEthereumprojects.Asbugsaccrueandcre-atereal-lifelosses,partieswillturntotribunalsandtothelawforre-course.Inthenextsection,weoffersomeconcreteexamplesofthisinsight.

123. Id.at2650. 124. Id. 125. Id.at2652. 126. Id. 127. Id.at2650. 128. Id.at2661. 129. SeePeterVessenes,EthereumContractsAreGoing toBeCandy forHackers,VESSENES(May18,2016),https://vessenes.com/Ethereum-contracts-are-going-to-be-candy-for-hackers[https://perma.cc/RWK5-METY](“MyreviewofEthereumSmartContracts...showsalikelyerrorrateofsomethinglike100per1000,maybehigher.”);seealso IvicaNikolić,AashishKolluri, IlyaSergey,PrateekSaxena&AquinasHobor,Finding the Greedy, Prodigal, and Suicidal Contracts at Scale (Mar. 14, 2018) (un-published manuscript), ARXIV: 1802.06038 (finding a near 3.5% vulnerability rateacrossananalysisofonemillionscripts);LudovicaMarchesi,MicheleMarchesi&Rob-ertoTonelli,ABCDE–AgileBlockChainDappEngineering(Dec.19,2019)(unpublishedmanuscript),ARXIV:1912.09074(“ThefeelingofmanysoftwareengineersaboutsuchhugeinterestinBlockchaintechnologiesisthatofunruledandhurriedsoftwarede-velopment....”).


II.TRANSACTIONALSCRIPTSINTHEREALWORLDNowthatwehaveinhandabetterunderstandingofwhatwriting

atransactionalscriptentails—andwhereerrormightcreepintothatprocess—let’sconsiderthreetypicalusecasesofscriptsinthecurrentblockchainecosystem.

A. TOKENSAbasicuseofatransactionalscriptistochangeablockchainrec-

ordtodebitacryptocurrencyfromasingleaddress’entryandcredittheentriesofotheraddresses.However,theflexibilityoftheEVMal-lows for more sophisticated types of trades, both of ether (theEthereum-definedbasecurrency)andscript-definedcryptoassets.130

ERC-20istheEthereumtechnicalstandardthatprovidesatem-plate for creating a fungible, tradeable asset, known as a token.131Suchtokensarethemostcommoncryptoasset.132Tokenbalancesarenotstoredbytheownerofthetoken.Instead,thetransactionalscriptthat created the asset updates an internal ledger of addresses andtheir corresponding tokenbalances.Belowweprovide someof thecodethatcreatessuchtokens.

130. SeeEthereumWhitepaper, ETHEREUM, https://ethereum.org/en/whitepaper[https://perma.cc/LV92-E3HC](lastupdatedJuly9,2020)(indicatingthatEthereumhas the functionality tonotonlyprocessdebit transactions,butalsomorecomplexsmart-contracttransactionsviascript). 131. Thestandardrequiresacompliantscripttoincludeamethodtodeterminethetotalnumberofsuchtokensincirculation,thenumberoftokensownedbyagivenaddress,andfunctionsthatfacilitatethetransferoftokens.SeeERC20,BITCOINWIKI(Oct.29,2018,7:46AM),https://en.bitcoinwiki.org/wiki/ERC20[https://perma.cc/4Z28-3NS4]. 132. SeeJakeFrankenfield,CryptoTokens,INVESTOPEDIA(June30,2020),https://www.investopedia.com/terms/c/crypto-token.asp[https://perma.cc/5PE9-7PZ7](describingthepopularityofcryptotokensasderivativesoftheoverarchingcrypto-currencyinfrastructure).


Inthefollowingscriptexcerptthevariablebalancesservesasthescript’s internal ledger of account balances. While any human canmanuallyinspecttheledger,anEthereumscriptcanonlyaccessthebalancesviathebalanceOf()functionwhichoutputsthebalanceforagivenaddress.This includes the token script itself,whichusesbal-anceOfwithinthetransferfunctiontocheckifthereissufficientbal-anceavailabletodebit,beforesubtractingthatamountfromonead-dressandcreditingtoanother.Thesetransferandbalancefunctionsaredepictedinthegraphicbelow.

Bylimitingdirectaccesstothebalances,thescriptfunctionslikeametaphoricalsealedvaultofanovelcommodity,withacorrespond-ingpublicledgerdeterminingownershipoverthecontentstodiffer-entparties.Thevaultallowsuserstoqueryandaltertheledgeronlybythemechanismscontrolledbyaseriesofbuttonsonthevault’sex-terior. The buttons correspond to the functions that a given scriptmakes available, and illustrate how evenwith a transparent vault,controloverandownershipof thecommodityultimately lies in themechanismunderlying the buttons. Likewise, exchanges of a tokencanonlybeeffectuatedthroughtheinterfaceprovidedbyitsparentscript.Intheaboveexample,thisiscapturedbythetransferfunction.

Whileasecondaryscriptmaylayeronsupplementarytermsofanexchange,theactualtransferofownershipismediatedthroughthescriptthatmaintainsthebalancesvariableforthatasset—nomattertherulesorritualsoneconstructsaroundtheoperationoftheafore-mentionedvault,theledgerremainsunderthesolecontrolofthebut-tonmechanisms.Anyflawinthemechanismisthereforepropagatedtoallusersoftheasset.

mapping(address => uint256) balances;

function balanceOf(address tokenOwner) public

view returns (uint) {

return balances[tokenOwner ];

}

function transfer(address receiver , uint

numTokens) public returns (bool) {

require(numTokens <= balances[msg.sender ]);

balances[msg.sender] =

balances[msg.sender ].sub(numTokens);

balances[receiver] =

balances[receiver ].add(numTokens);

return true;

}

This variable

matches addresses

to their balance

balanceOf() out-

puts the balance

mapped to an address

transfer() first checks

that the sender’s

balance is su�cient.

It then subtracts

tokens from the

sender’s balance and

subsequently credits

them to the receiver’s

Figure3:TokenScript


Considerwhatwouldhappenwerethecodertoforgetthecheckensuring that adequate fundswere available. For one, a user couldtransfermoretokensthanpresentintheirbalance,allowingthemtoaccruemoretokens,i.e.,cryptoassets,thantheywouldotherwisebeentitled.Additionally,anyotherscriptusingtheassetwouldalsobeaffectedasalltokentransfersaremediatedbythiscontractthatmain-tainsandcontrolsthebalancevariable.

Of course, tokens are not merely technological artifacts. Theytaketheirvaluefromsocialconsensus:theirholdersmustthinktheywilleventuallyprovidesomeutility(evenifmerelybeingtradingin-struments). 133 To obtain that consensus, tokens are typically de-scribedandmarketedwithnatural languagetext,writtenbypeoplewhomay,ormaynot,havecodedthetokens’scripts.Inpreviouswork,weexaminedtheERC-20tokenscreatedasapartofinitialcoinoffer-ingsin2017.134

Suchofferings, looselymodeledoninitialpublicofferings,typi-cally involve theexchangeofbitcoinoranother formor cryptocur-rencyforasetofrightsembodiedinatransactionalscript.135Forex-ample,anorganizationcalledKikraised$98Min2017byofferingforsale someof10 trillion “Kin” tokens ithadcreated.136According toKik’sWhitePaper,thirtypercentofthetotalsaleproceedswereear-marked for “startup resources, technology, and a covenant to inte-gratewiththeKincryptocurrencyandbrand.”137Kikcould,anddid,embedthesepromises ina transactionalscript.Wefoundthatonavarietyofmeasures,Kik’smarketingdocumentsandcodematchedex-actly.138

Tokens—whicharealreadyofsignificantpracticalimport—thus,poseatleasttwosortsofproblemsforjurists.First,whatifthecode

133. SeeHasu,UnpackingBitcoin’sSocialContract,MEDIUM(Dec.3,2018),https://medium.com/s/story/bitcoins-social-contract-1f8b05ee24a9[https://perma.cc/6WQG-J2K2](explainingtheimportofsocialcontracttheory,andthussocialconsen-sus,intheappraisalofthevalueofcryptocurrencies). 134. SeeCohneyetal.,supranote2,at619–25. 135. Id.at593–95. 136. KhariJohnson,KikRaises$98MillioninKinCryptocurrencyTokenSale,VEN-TUREBEAT(Sept.26,2017,8:07AM),https://venturebeat.com/2017/09/26/kik-raises-98-million-in-kin-cryptocurrency-token-sale[https://perma.cc/EYA9-TN27]. 137. Cohneyetal.,supranote2,at628. 138. Id.at673app.B.ThatisnottosayKikisintheclear.ItremainsenmeshedinafightwiththeSECaboutwhetheritstokensweresecurities.


itself is somehow flawed,meaning that their buyers receive some-thingdifferentthantheyexpected?Second,what if thecodefailstomatchthenaturallanguagepromisesthatpurporttodescribeit?139

B. EXCHANGESSometimeonNovember15,2018,someoneplacedabuy-offerfor

atokencalled“FreeCoin”ontheTokenStoredecentralizedcryptocur-rencyexchangeat ten times theprevailingmarketrate.140Thiscre-ated a substantial arbitrage opportunity for an enterprising traderwhosubsequentlypurchasedFreeCoinatthemarketrateandresolditattheinflatedrate,realizingaprofitof0.79ETHor$267USD,whilepayingacomplexityfeeof$5.00.141Wishingtoensurethattheentiresequence of trades was completed, the second trader batched thetransactionsusingascriptguaranteedtocompleteboththebuyandselltrades,orneither.142

Thisseriesofeventsisnormalondigitalmarketplacesthattradecryptocurrency.Suchmarketplacestodayareamajorsourceofliquid-ityforcryptoassets,andconsequentlythemostpracticallyimportantpublic face of the transactional script commercial ecosystem.143In-deed,theymaybetheonlyforawhereitisobviousthattransactionalscriptsarepragmaticallyimportantmechanismsofexchange.Crypto-currencyexchangestakemultipleapproachestocustody,settlement,andordermatching,whichwenowexplore.

Unlike the “Free Coin” trade, the majority of cryptocurrencytradescurrentlyoccuroncentralizedexchanges.144Userssendeitherfiatcurrencyorcryptocurrenciestoanaccountcontrolledbytheex-change,andinreturn,theexchangepromisesto(andnormallydoes)

139. See Complaint at 13, SEC v. REcoin Grp. Found., L.L.C., No. 17-CV-5725(E.D.N.Y.Sept.29,2017)(allegingsecuritiesliabilityduetoREcoin’swhitepapermak-ingrepresentationsaboutcharitablegivingforwhich“thereisnoprogramcode”). 140. Philip Daian, Steven Goldfeder, Tyler Kell, Yunqi Li, Xueyuan Zhao, IddoBentov,LorenzBreidenbach&AriJuels,FlashBoys2.0:Frontrunning,TransactionRe-ordering,andConsensusInstability inDecentralizedExchanges1,4(Apr.10,2019)(unpublishedmanuscript),ARXIV:1904.05234. 141. Thefeewas113,265gasatapriceof134Gwei,orabout$5.Id.at5. 142. Id. 143. SeegenerallyAndreaPinna,Simona Ibba,GavinaBaralla,RobertoToneli&MichelMarchesi,AMassiveAnalysisofEthereumSmartContractsEmpiricalStudyandCodeMetrics,7IEEEACCESS78,194,78,202–06(2019). 144. See Nathan Reiff, What Are Centralized Cryptocurrency Exchanges, IN-VESTOPEDIA (June 25, 2019), https://www.investopedia.com/tech/what-are-centralized-cryptocurrency-exchanges [https://perma.cc/7D56-QPX5] (“[Central-izedcryptocurrencyexchanges]arethemostcommonmeansthatinvestorsusetobuyandsellcryptocurrencyholdings.”).


promptlytransferanequivalentamountofarequestedasset.145Suchtrades almost always occur off-chain and are settled using the ex-change’s internal ledgers.146Exchanges do generally offer custodial“wallets”thatstorethekeystoauser’scryptoassetsforeasytrading.

Thesecentralizedexchangescould,butinmostcasesdonot,usetransactionalscripts.147Rather,theyactasmarketmakers,facilitatingtradesbetweentwopartiesforwhomitisthecustodian.Thereisthus,goodreasontoassumethattradesbetweensuchpartiesaregovernedbyordinarycontractslaw.

Thetrend,however,istowardsdecentralizedmodelsforcrypto-currency exchanges.148Collapses of centralized exchanges have leftuserswithoutaccesstobalancesstoredontheexchange.149Central-izedexchangeshavealsosufferedforlackofliquidityacrossrareras-settypes,asexchangescompetefororderflow.150Theseflaws,com-bined with the blockchain community’s ideological opposition tocentralization,providedfertilegroundforthedevelopmentofdecen-tralizedexchanges,151orDEXes.

TokenStore,aDEX,didnotautomaticallymatch trades in theirorderbook.Rather,sellersofassetswouldpostanorderandbuyerswoulddigitallysign their intent tomatch theorder, forwarding thetransactiontotheDEX’son-chaincontract,whichprovidedfora0.3%paymentallottedtoTokenStore.ThisisacommonsetupforDEXsys-temstoday.152Theserviceprovidedinthisinstancecanbeviewedas

145. Seeid.(explainingtheideaofcentralization). 146. Notethesearenotledgersintheblockchainchainbutmerelytheexchange’sowninternalrecordkeepingmechanisms. 147. Cf.id.(notingthatacrucialdifferencebetweencentralizedanddecentralizedexchangesistheuseofintermediariesandcustodians). 148. Whiletradesondecentralizedexchangesarestillofcomparativelylowvol-ume,thebulkofnewexchangesareadoptingdecentralizedmodels. 149. Mt.Gox,notableforits2014collapse,handledasmuchas70%ofallBitcointransactionspriortoitsdemise.SeeJoshConstine,ThePlottoReviveMt.GoxandRepayVictims’Bitcoin,TECHCRUNCH(Feb.6,2019,8:00PM),https://techcrunch.com/2019/02/06/the-plot-to-revive-mt-gox-and-repay-victims-bitcoin[https://perma.cc/79JU-49KX]. 150. SeeNathanSexer,StateofDecentralizedExchanges,2018,CONSENSYSMEDIA(Jan.31,2018),https://media.consensys.net/state-of-decentralized-exchanges-2018-276dad340c79[https://perma.cc/94KS-AJLT]. 151. Despitetheallure,theterm“decentralizedexchange”waslongsomewhatofamisnomer,asearliergenerationsstillreliedonasinglecontractformarketmakingandsettlement. 152. AnexplanationofsimilararchitecturesandthecoststheyimposeisprovidedbyIddoBentov,LorenzBreidenbach,PhilDaian,AriJuels,YunqiLi&XueyuanZhao,TheCostofDecentralizationin0xandEtherDelta,HACKING,DISTRIBUTED(Aug.13,2017,


twoseparablecomponents:153alistingserviceforopenorders,andaplatform to automatically consummate signed trades. Each compo-nentismediatedbyadifferentpieceofsoftware.Theorderbookismaintainedbyacentralizeddatabase,andinteractionwithitisbyawebsiteanditsaccompanyinginterfaces,bothcontrolledbyToken-Store.

Theconsummationcomponentismanagedbyaminimaltransac-tionalscript.Toperformatrade,usersfirstplacecryptoassetsinthecustodyofthetransactionalscriptusingadepositfunction.Atraderwishingtomatchanorderthenusesthewebinterfacetogenerateasignedtransactionandsubmitsittothetrade()functioninthetrans-actionalscript.Thescriptperformsanumberofcheckstoensurethatthetradeisvalidandthenupdatesthebalancesofbothusers.

Inthecaseofourpoortrader,oncethetradewasenteredintotheorderbook, anycounterparty could force itsexecution.TokenStoreappearstolackeitherawhitepaperoranysubstantiveformalizationinnaturallanguageoftheirsystemarchitecture.Itswebsitecontainsno link to a terms and conditions, and even their medium blog issparelypopulatedwithonlyeightposts,withfullyhalfbeingmerelylaunchannouncements.

ThenaturallanguagecontentsurroundingTokenStoreislimitedtoahandfuloftweets,blogposts,commitmessages,andcodecom-ments,whichyieldonlymodestinsightintothepurportedoffering.Amediumpostentitled“Advantagesoftoken.storeETH—Summarized”toutsthesecurityoftheplatformclaiming“token.storedoesn’tholdany of your funds; the trader deposits his funds into a smart con-tract....Thismakes theexperiencesafeandsecureby itsveryna-ture”anddirectsuserstoalinkto“checkthecode.”154OnTwitter,theprojectbraggedthat“[f]undsat[http://]token.storeETHandEOSare

1:45PM),http://hackingdistributed.com/2017/08/13/cost-of-decent[https://perma.cc/U79S-XE86]. 153. ThisseparationisjustifiedbynotingthataDEXcouldbuildaplatformcom-patiblewitharival’ssignedtransactions,usingitsowncontracttoconsummatetrades.TokenStore itself appears to have added support for transactions originating from“0x,” anotherpopularDEX.TokenDev,Tokenstore/Contract,GITHUB(July24,2018),https://github.com/tokenstore/contract/pull/11[https://perma.cc/34HB-8YW6](announcinganexpansionallowinguserstotake0xorders). 154. HarryBirch,AdvantagesofToken.StoreETH—Summarized,MEDIUM(Aug.27,2018),https://medium.com/token-store/advantages-of-the-token-store-summarized-9164c4bab41[https://perma.cc/KF8F-HX8H].


held insmartcontracts:onlyuserswhohold theprivatekey to thewalletwhichdepositedthemcanwithdrawthem.”155

Ofdirectrelevancetotradingerror,thecodecontrollingtradeex-ecutionisprecededbythefollowingcodecomment:

Note:Ordercreationhappensoff-chainbuttheordersaresignedbycreators,//wevalidatethecontentsandthecreatoraddressinthelogicbelow.156ThenotionthatTokenStore“validates”thecontentsofanorder

priortofulfillmentleavesopenthequestionofwhatvalidationanon-code-readinguseroughttoexpect.WereturntotheseissuesinSec-tionIII.

C. ORACLESIntheirdefaultsetting,transactionalscriptsareunabletointer-

actwitheventsoccurringordataoutsideoftheblockchain.Consideratransactionalscriptthatpaysashippersolongasthetemperaturewithintheshippingcontainerstaysbelowacertainthreshold.Whilethe logic is simple (if the temperatureneverwentaboveX,pay thecontractprice),thequandaryforthecoderishowtoensurethatthetransactionalscriptknowswhatthetemperatureinsidethecontaineris.Thisproblemissolvedusingan“oracle,”acomputerizedagentthatperiodicallysubmitstheneededexternaldatatotheblockchaintobeusedwithincontracts.157

155. token.store(@TokenDotStore),TWITTER(June22,2019,11:32AM),https://twitter.com/TokenDotStore/status/1142470315777363968[https://perma.cc/TY3W-G64V]. Of note, the script is upgradable via an opt-in process,meaning thatwhileTokenStorecurrentlyhasnowaytoaccessuserassets,afutureversionofthecontractcertainlycould.ThoughTokenStorehasdelistedanumberoftokensfromitsorder book and user interface, individuals who have delisted tokens stored in thetransactionalscriptcanstillaccessthembymanuallysubmittingawithdrawtransac-tion to the blockchain.See token.store (@TokenDotStore), TWITTER (Nov. 15, 2018,11:46AM),https://twitter.com/TokenDotStore/status/1063126115290615808[https://perma.cc/E4VK-DK4T]. 156. BlockExplorer forEthereumMainnet,ANYBLOCKANALYTICS,https://explorer.anyblock.tools/ethereum/ethereum/mainnet/address/0xE17dBB844Ba602E189889D941D1297184ce63664 [https://perma.cc/QB8N-QDJN] (last modified July 6,2020). 157. Incorporatingexternaldatadirectlyontothechainunderminestheconsensusmechanism,asitleavesnoprincipledwayfornetworkparticipantswithoutdirectac-cesstotheexternaldatatovalidateitscorrectness.SeeAlexanderEgberts,TheOracleProblem:AnAnalysisofHowBlockchainOraclesUnderminetheAdvantagesofDecen-tralizedLedgerSystems5(Dec.12,2017)(M.A.thesis,EBSUniversityofBusinessandLaw),https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3382343[https://perma.cc/JW5E-UHJP].


Anoraclenormallyconsistsoftwoparts:ascriptandawaytopopulatethescript’sdatastore.158ThefigurebelowexcerptsfromtheoracleforacurrencyexchangecalledSynthetix,showingaportionofthe function that incorporates updates to currency exchange ratesontothescript’sstorage.

158. Oraclescanexistinsoftwareorhardware,withthelatterpurportedlyofferingsome security guarantees stemming from the increased difficulty of compromisinghardware.

function internalUpdateRates(bytes4 []

currencyKeys , uint[] newRates , uint

timeSent) internal returns(bool) {

require(currencyKeys.length ==

newRates.length , "Currency key array

length must match rates array length.");

require(timeSent < (now +

ORACLE_FUTURE_LIMIT), "Time is too far

into the future");

// Loop through each key and perform update.

for (uint i = 0; i < currencyKeys.length;

i++) {

// Should not set any rate to zero ever ,

as no asset will ever be

// truely worthless and still valid. In

this scenario , we should

// delete the rate and remove it from

the system.

require(newRates[i] != 0, "Zero is not a

valid rate , please call delegateRate

instead.");

require(currencyKeys[i] != "sUSD", "Rate

of sUSD cannot be updated , it’s

always UNIT.");

// We should only update the rate if

it’s at least the same age as the

last rate we’ve got.

if (timeSent <

lastRateUpdateTimes[currencyKeys[i]])

{

continue;

}

newRates[i] =

rateOrInverted(currencyKeys[i],

newRates[i]);

// Ok , go ahead with the update.

rates[currencyKeys[i]] = newRates[i];

lastRateUpdateTimes[currencyKeys[i]] =

timeSent;

}

emit RatesUpdated(currencyKeys , newRates);

// Now update our XDR rate.

updateXDRRate(timeSent);

return true;

}

The function takesas input a set of

exchange rates andcurrency pairs, alongwith the current time

The function performsthe following processfor each currency pair:

1. Check if the last update wasfar enough in the past torequire a new update

2. Invert the rate if required

3. Update the script with thenew rate and reset the up-date timer

Figure4:OracleScriptfromSynthetix


As shown above, to execute the update function, the programmustprovideasinputthedataitwishestoincorporate.Notably,witheachupdateagasfeemustbepaidtostorethenewdata.Oraclesarethusnotimmunefromthechallengesassociatedwiththecomplexitytax.

Thedatafromoraclesistypicallyprovidedbyathird-party.Thishighlights a significant trade-off: oracles require trust in the datasource(andfurtherinthesoundnessoftheoraclescript).159Forsome,the intermediationand trust reintroducedbyoracleshighlights the“oracle paradox”: the more relevant the oracle data, the less oneshouldbewillingtotrusttheprovider.160Thereareanumberofin-geniousprotocoldesignsthatachievetotweakthesetrade-offs.161

Butoraclesbreakdowndespitethebestintentionsofallinvolved.Forexample,onJune25,2019,oneofthecommercialdatafeedsfromwhichSythnetixreceivesitsUSD/KRW(KoreanWon)exchangerate“begantointermittentlyreportaprice1000xhigherthanthecurrentrate.”162Anearlieroutagehadtakenoneoftheothertwodatasourcesoffline, and the code to disregard outliers averaged the remainingfeedswasalsobuggy.Fora scriptoperatingamarket for syntheticcryptoassets,tiedtorealworldassets,amismatchbetweenthesyn-theticassetandtheunderlyingassetwastheworst-casescenario.

159. Federatedoraclesattempttotacklethistrustproblembydistributingit:theyrequirethatasmallnumberofpartiesindependentlyprovidethesameinformation.Thetransactionalscriptvalidatesthattheinformationitreceivedisconsistentacrosseachparties’submissionbeforeitpermitsthedatatobeused.Suchanapproachisnoguaranteethataseriesofbugswon’tcausetheoverallfailureofthesystem. 160. SeeJesusRodriguez,TheMiddlemanofTrust:TheOracleParadoxandFivePro-tocolsthatCanBringExternalDataintothe...,HACKERNOON(July31,2018),https://hackernoon.com/the-middleman-of-trust-the-oracle-paradox-and-five-protocols-that-can-bring-external-data-into-the-df39b63e92ae[https://perma.cc/N3SJ-FFJG]. 161. Decentralizedoracleprotocols(suchasChainlink)providenetworksofindi-vidualoraclesalongwithincentivestructuresthatpromotetrustinthenetwork.See,e.g.,WelcometoChainlink,CHAINLINKDEVS.,https://web.archive.org/web/20191228052855/https://docs.chain.link/docs/welcome-to-chainlink[https://perma.cc/6XZB-VB8S]. An alternative solution operated by Augur maintains a prediction marketwhichsyncstooff-chaineventsbymaintainingafeepoolpaidouttoparticipantsthatreportonthestateoftheoff-chainworld.SeeJackPeterson,JosephKrug,MicahZoltu,AustinWilliams&StephanieAlexander,Augur:ADecentralizedOracleandPredictionMarketPlatform(Feb.3,2018)(unpublishedmanuscript),ARXIV:1501.01042.Amus-ingly,aparticipantcandisruptthemarketbyplacingaself-referentialbetonAuguritself. 162. Synthetix Response to Oracle Incident, SYNTHETIX (June 25, 2019), https://blog.synthetix.io/response-to-oracle-incident[https://perma.cc/KEQ9-CKTP].


Abotwasabletodetectthemismatchedexchangerateandtookadvantageofthearbitrageopportunity,acquiringtokenswithamar-ket value of $1bwith amere $1000 investment.163Fortunately forSynthetix, the bot owner reversed the trades in return for a bugbountypayout.ThechainindicatesthereversalwasachievedthroughasubsequenttradeatanexchangeratebetweenansETH(tokenizedETH)andsKRW(tokenizedKRW)manyordersofmagnitudebelowthe actual rate. 164 This suggests cooperation between Synthetix(whichwouldhavebeenabletomanuallyadjusttheexchangerate)andthebotownerwhowillinglyconvertedtheirsETHbelowmarketrate.Whiletheon-chaintransactionssuggestthatthebotownerlosttheirinvestment(alongwiththeirprofits)inthereversetransaction,thiswaslikelyremediatedthroughasidepayout.

WepreviouslyshowedascriptbywhichSynthetixincorporatedvarious exchange rates. Aswith our previous examples, that scriptwasaccompaniedbynaturallanguagetext,whichprovidedtheoppor-tunityforgapsbetweenintentionandoutcome.Thetopofthefilein-cludedthefollowingdescriptionofitsfunction:

[Thisisa]contractthatanyothercontractintheSynthetixsystemcanqueryforthecurrentmarketvalueofvariousassets,includingcryptoassetsaswellasvariousfiatassets.Thiscontractassumesthatrateupdateswillcompletelyupdateallratestotheircurrentvalues.Ifarateshockhappensonasingleasset,theoraclewillstillpushupdatedratesforallotherassets.165Alongside extensive code commentary, Synthetixmakes repre-

sentationsastothe functionalityof itsplatformintheREADMEac-companying the code, in thehelp sectionof itswebpage, and in itsmarketingmaterials.166Noneofthosecommentarydocumentsrefer-encesthepossibilityofanerroratthedatasource.TheREADMEfile,

163. ForinformationontheexchangeofETHusedtotakeadvantageofthearbi-trage opportunity, see Transaction Details, ETHERSCAN (June 17, 2019, 9:04 AM),https://etherscan.io/tx/0x6f6ee43ee07013503df786532493a3c405465f91e3ce8bb4ba8717a715db1caa[https://perma.cc/3B39-V7X3]. 164. Thiswasdeducedbyfollowingthechainoftransactionswithanexchangeof37msETHfor362sKRW.TransactionDetails,ETHERSCAN (June25,2019,2:54AM),https://etherscan.io/tx/0xc3fc19c63e1090eb624212bad71a27cd3dc7afcd0cf9063d24bfc47b5d036ae2[https://perma.cc/R52W-HKZF]. 165. Contract,ETHERSCAN,https://etherscan.io/address/0x70c629875dadbe702489a5e1e3baae60e38924fa#code[https://perma.cc/VX3Y-56FR]. 166. Thewebpagedoesincludealinktotermsandconditions,buttheygovernuseofthewebsiteratherthantheblockchainplatform.TermsofUse,SYNTHETIX,https://www.synthetix.io/terms-of-use [https://perma.cc/8GCH-9BAK] (“By accessing thewebsiteathttp://synthetix.io,youareagreeingtobeboundbytheseterms....InnoeventshallSynthetix...beliableforanydamages...arisingoutoftheuseorinabilitytousethematerialsonSynthetix’swebsite....”).


however,notesthatthefeesaregovernedbyanexchangeratethatis“derivedbylookingatabasketaggregateofcurrencies,”thattherateswillbenotbe“stale”andthattheoraclewillbe“trusted.”167AndtheMITLicensefortheSynthetixsoftware,whichisprovidedasafileonitsGithubpage,statesthatthesoftwareisprovided“ASIS.”168HowtocompilethesevariousstatementsisthesubjectofournextSection.

III.SCRIPTSANDSTACKSAsweexploredabove,itsimplyisnotpracticaltocreatescripts

thatperfectlyembodytheircoders’intent.Thepointisgenerallytrueforallcodedexchange.A2019decisionissuedbytheSingaporeInter-nationalCommercialCourt, applying the common lawof Singapore(itself derived fromEnglish common law), offers a uniquewindowintohowjuristsmightresolvethecontractualconsequencesofcodegoneawry.169

Thecaseinvolvedalopsidedtradeofcryptocurrency.Quoineop-eratedacentralizedcurrencyexchangeplatformthatprimarilyena-bledtradingofcryptocurrencies.170B2C2wasan“electronicmarketmarker,”whichhaddevelopedatradingalgorithmwrittenbyitspres-ident several years before the events of the case.171In April 2017,Quoine,asitalwaysdid,hadaprograminplacetomonitoruserswhohadborrowedcollateralwithwhichtotrade.172WhenQuoine’spro-gramidentifiedanimbalanceinthereserves,itforcedthesaleofcol-lateralizedassetsatthebestavailableprice.173

Unfortunately,theprogramthatQuoinehadwrittentoensurealiquidmarkettemporarilyfailed.174Theresultwasitspriceswereoutofsyncwiththeglobalmarket.175 B2C2,whosegoalwastocapturere-turnsfromthebid-askspread,176offeredtofillsevenparticularorders

167. Oikos Contracts, GITHUB, https://github.com/oikos-cash/oikos#oikos-tron-contracts[https://perma.cc/9CME-PC2E](lastmodifiedAug.11,2020). 168. MIT License, GITHUB (Nov. 29, 2018), https://github.com/Synthetixio/synthetix/blob/8f3b95d1205f2b4d6b62124bd07f593773800743/LICENSE[https://perma.cc/Q2PX-46T7]. 169. B2C2Ltd.v.QuoinePte.Ltd.[2019]SGHC(I)03. 170. Id.at1. 171. Id. 172. Id.at12. 173. Id. 174. Id. 175. Id. 176. Id.at5.


atapricearound250timesthatavailableonthebroadermarket,mak-ingitaquickprofitofseveralmilliondollars.177

Thenext day,Quoine reversed the trades in its order book.178B2C2sued,arguingthatthereversalviolatedQuoine’stermsandcon-ditions,whichprovidedthat“onceanorderisfilled,youarenotifiedviathePlatformandsuchanactionisirreversible.”179

QuoineofferedtwoprincipaldefensestoitssupposedobligationtocompletethetradeswithB2C2.180

First, itpointedoutthatitsriskdisclosurestatement,uploadedpriortothetradebutnotexpresslyincorporatedintothetermsandconditions, permitted a reversal of trades if “market circumstancesshiftdramaticallyorsomethingelsehappens.”181Thecourtheldthatbecausethestatementwasnotexpresslyincorporatedintothecon-tract(that is, intothetermsandconditions), itdidnotoverridetheexpress language of the contract itself.182This decision seems per-fectlysensibleonitsface—anapplicationoftheusualideathatanin-tegrated agreement ought not be contradicted by extrinsic state-ments.183

Second,andmoreinterestingly,thecourtconsideredwhetherthefactsestablishedamistake,allegedlybecause thepartieswouldnotthemselves have executed the trade in a hypotheticalworldwherethey talked about it in person in real time.184 That is, the parties’agents—theprograms—hadexecutedadealwhich,thoughanaccu-rateexpressionofthecode’sinstructions,somehowfailedtocapturetheir “real intent.”185As Quoine argued, the platformswere “reallycomplexplatforms,”inwhich“alotofthings[could]gowrong.”186Themistakeinquestionwasnotatypographicalerrorinthecode,butra-theran“oversight in thedesignof thesystem.”187Quoineaskedthe

177. Id.at12. 178. Id. 179. Id.at55. 180. Id.at58. 181. Id.at64. 182. Id.at73. 183. Forthispoint,thetribunalcitedaBritishtreatiseandsupportingSingaporeanauthorities,buttheresultwouldbenodifferentinmostU.S.jurisdictions.Seeid.at69;infratextaccompanyingnotes271–72. 184. B2C2Ltd.[2019]SGHC(I)03,at75. 185. See generally 1 TIMOTHYMURRAY,CORBIN ONCONTRACTS:FORMATION OFCON-TRACTS§4.11(rev.ed.2020)(describingoldcasesontelegraphsandmistakesintrans-missionofmessages). 186. B2C2Ltd.[2019]SGHC(I)03,at30. 187. Id.


courttoapplya“pragmaticandjudiciousstance”andvoida“clearlyerroneoustrade.”188

Thetribunal,adoptinganarrowerreadingofunilateralmistakederivedfromBritishcommonlaw,heldthattoavoidliability,theper-sonwhowasnotmistakenmusthaveactuallyknownofhercounter-party’serrorand“wasshuttinghermindtotheobvious.”189Indecid-ingwhetherB2C2had that requisite stateofmind, thecourtnotedconceptualdifficulties:

[A]pplyingthelawto...algorithmictrading...raise[s]newquestions.Whatmistakeshavebeenmadeandtowhatextentaretheyfundamental?Howdoesoneassessknowledgeor intentionwhenthewholeoperationiscarriedoutbycomputersactingasprogrammed?Whoseknowledgeisrele-vant?Atwhatdateisthisknowledgetobeassessed?190Giventhattheprogramexecutedafixedtrade—i.e.,thedesignof

thecodebespoketheprogrammer’sintentiontostripitofanydiscre-tion—thecourtanalogizedtheprogramtoa“meremachinecarryingoutactionswhich inanotheragewouldhavebeencarriedoutbyasuitablytrainedhuman.[Itis]nodifferent[from]...akitchenblenderrelievingacookofthemanualactofmixingingredients.”191

Thecourtthusheldthatforthepurposesofascertainingmistake,itwouldfocusontheintentof“thepersononwhosebehalfthecom-puter placed the order in question [B2C2].” 192 This, the court ex-plained,requiredexaminingthe“stateofmindoftheprogrammerofthesoftwareofthatprogramatthetimetherelevantpartofthepro-gramwaswritten.”193Assessingtherelevantevidence,thecourtde-cidedthattheprogrammerhadnotinsertedcodeintendingtotradeatlopsidedratesorknowingthatdoingsocouldonlyresultfromthecounterparties’error.194Thus,itrejectedtheclaimofmistake.195

Quoineisnotacaseaboutatransactionalscriptgonewrong.Butitdoesofferafewglimpsesintothefutureofhowscriptedexchangeswillberesolved,oratleastonepossibleapproachtosuchproblems.

188. Id.at79. 189. Id.at80;cf.RESTATEMENT(SECOND)OFCONTS.§153(AM.L.INST.1981)(requir-ingthenon-mistakenpartytohave“hadreasontoknowofthemistake”). 190. B2C2Ltd.[2019]SGHC(I)03,at86. 191. Id.at89. 192. Id.at87–88. 193. Id.at89–90. 194. Id.at99. 195. Id.In2020,theSingaporeSupremeCourtaffirmedthejudgmentinanopinionthatwasequallylengthybutbrokenonewconceptualground.QuoinePte.Ltd.v.B2C2Ltd. [2020] SGCA (I) 02, https://www.supremecourt.gov.sg/docs/default-source/module-document/judgement/-2020-sgca(i)-02-(v-4)-pdf[https://perma.cc/7LF2-HY2V].


Thefirstistheimportanceoftherolethatold-fashionedcontractlaw—andold-fashionedcontracts—willplayinthedispositionoftheparties’ legal rights.TheQuoine tribunalprivileged thenatural lan-guagecontractembodiedinthetermsandconditionsoverthecode.Though it ultimately declared that the risk disclosures outside thetermsandconditionswerenotbinding,itapparentlywouldhaveen-forcedthosedisclosures,hadtheybeenincorporated,oversoftwarecode that enabled the trade. Itwas only in the absence of contracttermsgoverningthedealthatthecourtturnedtowhatthecodeper-mitted,andwhy.Thus,thecodedrulesofexchangewere,inthecourt’sview,largelyirrelevant.

Secondandrelatedly,theQuoinecourt’sfocusontheintentoftheprogrammerisanaturaloutgrowthofcontractcaselaw.Interestingly,Quoine focused on intent at the time of the original programming.KnowingwhatB2C2intendedrequiredthecourtonlytotakethetes-timonyofonecoder,andtoapplythenormaljudicialtools(assessingdemeanor, consistencywithprior statements and thedocumentaryrecord)todeterminethe“truth”ofthecoder’sintent.196Suchasimplestoryisunlikelytoreplicatewhenweinterrogatemorecomplexcod-ingproblems.

WethinktheQuoinedecisionoffersaroughguidetothesortsofproblemsthattransactionalscriptswillraise,andasenseofhowcom-monlawcourtswillbemotivatedtoresolvethem.Indeed,wethinkthetribunalgotitmostlyrightincontext,butthatitsreasonswon’tscale.Givenwhatwe’velearnedaboutthetechnologicalenvironmentgeneratingscripts,wemaketwobasicargumentsabouthowthelawoughttoconsiderproblemsrelatedtoscripting.

First, judgesshouldnotprivilege“contract”over“code”butra-ther ought to ascertain and harmonize meaning across a contractstack.Code—whenreadwithitsnaturallanguagecommentsandcom-mitlogs—hascommunicativemeaningthatcourtsshouldseektoas-certainandenforce.Second,conditionalonintegratingthestack,thesearchformeaningshouldfocusonexpressionsthatbestreflectthebestpublic-facingaccountoftheparties’sharedintentatthetimethattheycommittedtothedeal.Weworkthroughtheseprinciplesbysug-gestingalistofcanonsofscriptedlaw.

196. B2C2Ltd.[2019]SGHC(I)03,at89–90.


A. THECANONICALSTACKAsJasonAllenhasrecentlyargued,transactionalscriptsarethe

latest in a series of “‘contractware’, i.e., technological artefacts de-signedtoembodyandperformcontracts.”197Achip inacreditcardembodiestheconceptwell.Thereisanaturallanguagecreditagree-mentbetweenyouandyourcardcompany,updatedandmodifiedattheissuers’willagainstthebackgroundofregulation,whichdefinethecircumstancesunderwhichcreditmaybeextended.Thosetermspar-allelonesagreedtobetweentheissuer(oritsagents)andmerchants,whichenableyourcard(theartifactresultingfromyournaturallan-guageagreements)toeffectuateapendingsalebyinsertionintothemerchant’sreader.That is, thecard/readerperformscontractsthathoverintheairaroundthem.

Allcontractwarehasthisproperty:itiswrappedwithinanordi-nary,legalcontract.Absentalegitimateconnectiontothosecontracts,useofacredit cardcanstillaffect theworld—youraccountwillbedebited,themerchant’scredited—butsuchchangescanbequicklyre-versed.Ofcourse,notallcontractwarerequiresphysicalmanifesta-tions.Allenarguesthattransactionalscriptsareanexampleofcon-tractwareinwhich“thesubjectmatterofthecontractisanimmaterialobjectwhichcanbemanipulateddirectlybythe[code].”198

Allenconcludesthattransactionalscriptsarelayersinthe“con-tractstack.”199Thestackisausefulmetaphortodescribethevariouselementsof“contractasacomplexentity.”200Astackmightinclude,perhaps,anoralcontract(orotherindiciaofsocialagreement),awrit-tentext,andthelegalrules,whichgiveeffecttotherelationshipbe-tweenthetwo.Inatransactionalscript,the“writtentext,”i.e.naturallanguagetermslikethestatementoftermsandconditionsinQuoine,is“complemented(orsupplanted)bycodewhichisalso,incidentally,wholly or partially executable by a machine.” 201 Each additionalstep—thecompilingofmachine-readablecodefromhumanreadablecode—addsanotherlayerofcomplexitytothestack,butthestackisintendedtooperate,andthereforeoughttoberead,asawhole.202

Manyworkinginthisspaceacknowledgethatcontractstackswillbe themechanism throughwhich commercial projects will deliver

197. Allen,supranote33,at313. 198. Id.at318. 199. Id.at330. 200. Id. 201. Id. 202. Id.at331.


scriptedperformance.203This is theapparent impetus, forexample,for the InternationalSwapsandDerivativeAssociation’sattempt toinsertexplicitreferencestoscripts,whichoperationalizeinterestpay-mentsintotheISDAmastercontract.204Butothersophisticatedpro-jects,liketheOpenLawcooperative,areexplicitlydevelopingstackeddeals.205

But we’d go further. All litigated scripts will exist in contractstacks.That’snottosaythattherewillalwaysbea100-pagemasteragreement,orevenclicked-throughtermsandconditionsofsale.Ra-ther, our claim is that there will always be some non-code state-ments—rangingfromthehighlyformalizedtermsandconditions,tolessformalizedwhitepapersandcodecommentary,toquiteinformalpromises(Twitter)—whichwill informtribunals’understandingsofwhatthepartiesintendedtoexchange.

This is truebothasamatterofpractice, andamatterof logic.Codeisnotself-descriptive.Anyscriptsthathavepracticalrelevancewillhavesomenon-codelanguagesurroundingthem.Anysetofcom-municationsrelevanttotheexchangethatarevisibletothepartiesareat least presumptively a part of the stack. (Whether they all countequallyisaharderquestion.)

Thus,althoughsomeintheliteraturehaveaskedifa“smartcon-tract”isreallyacontract,standingalone,wedoubtthepracticalrele-vanceofthatquestion.Thecodestandingalonemaynotfullyspecifyanexecutorycontract,unilateralorotherwise,becauseitsimplyac-complishesperformance.But,unlike the cheese, at least at themo-ment, thecodeneverstandsalone.Asourexamples inPart II illus-trate,itistypicallydeployedinasocialcontext.

Thoughthestackisarelativelyrecentterm,theideathattrans-actionsareaccompaniedbymanysortsofpotentiallylegally-opera-tivepromisesisnot.Youbuyacar,ledtothedealershipbyacommer-cial, and see a price at the entrance to the lot. The dealer makesrepresentationstoyou.Youreplywithyourownadmissions.Finally,yousignawrittenagreement,whichoftenseekstoexcludetheprior

203. See,e.g.,DEFILIPPI&WRIGHT,supranote33,at77(arguingthat“hybrid”con-tracts will be useful especially when particular components cannot be reduced tocode). 204. INT’LSWAPS&DERIVATIVESASS’N,LEGALGUIDELINESFORSMARTDERIVATIVESCON-TRACTS:THEISDAMASTERAGREEMEENT7(2019),https://www.isda.org/2019/02/19/legal-guidelines-for-smart-derivatives-contracts-the-isda-master-agreement[https://perma.cc/HSN4-2A54]. 205. SeeGeneralQuestions,OPENLAW,https://app.openlaw.io/faq#first_draft_au-tomate [https://perma.cc/KZ43-6LMC] (“OnOpenLaw, you can execute smart con-tractcodebyembeddingasmartcontractcallinanytemplate.”).


representationsasoutsideoftheoperativedeal.Thewholeexchangeis a contract stack. Someof it is legally operative, and some isnot.Whenyoubuyacupofcoffeeat thestoreafterseeingasignat thedoor,theprocessisthesame—thoughifyouuseanapptofulfillthepurchase,someofthecodethataccomplishespaymentisobscuretoyouandis,perhaps,notpartofthecontract.Thepoint isthatwhatcounts as the “contract” results from themultifarious set of policychoices thatwecall contractdoctrine. Sometimes that constructionmapsontoasingle,written,document,butoftendoesnot.

Wethussuggestourfirstcanon—amaxim—tohelpcourtsmakesenseoftheadjudicationofdisputesarisingfromscriptedexchange.Likealloftherulesthatwesuggest,itbuildsonexistingcaselaw.Itisalsoadefault:thepartiescan(andasweexplorebelow)havechangeditbycontract.

Inworkingthroughthiscanon,anexamplemayhelp.Considera

tokenwhitepapermakesapromiseaboutgovernancerights,butthescriptcontainsnoreferencetothatpromise.206Thatwasthenorminthe2017ICOcraze.207Inpreviouswork,weconductedanexhaustiveauditofthematchbetweensemanticdisclosures(includingthoseinWhitePapers,Twitter,Instagram,Reddit,andMedium)andscriptedcodeintokens.Wefoundthatmostprogramshadnot,infact,createdcode thatconformedto theirpromises.208“Forover20%of ICOs inour sample where promoters promised cryptoasset supply re-strictions,and35%ofpromisedtokenburning,wecouldnotobservecorresponding restrictions [written into transactional scripts].” 209Worse,wedidnotfindcode-basedvestingrestrictionsintwenty-fiveofthethirty-sixICOswherepromoterspromisedtoadheretosuchre-strictions.210Finally,oftwelveICOsforwhichourauditrevealedthata central party could modify the functionality of the cryptoasset’scode,onlyfourdisclosedthatabilityintheirpromotionalmaterials.211

206. Cf.Cohneyetal.,supranote2,at640–44(discussingmarketsolutionstomiss-ingdisclosures). 207. Id.at640. 208. Id.at639. 209. Id.at640. 210. Id. 211. Id.at639–40.

Canon1:Allsharedcommunicationsofintent,includingthecode,comprisethelegally-operativestack.


Totheextentthatanactionforalegalbreachofsuchacontractstackisbrought,howdoweknowwhatwaspromised?Somemightarguethattheonlylegallyoperativepromisesarethosemadeinnat-ural languagedocumentsoutsideof the code; others, that the codeprovidestheonlyrelevantsetofrules.212Inaway,thisisquitesimilartothestartofaconventionalparolevidenceproblemwheremultipledocumentsarecandidatesforinclusionasthelitigated“contract.”213Whentheboundsofcontractarefuzzy—thatis,intheabsenceofin-tegration—thestackofcontractwareiscapaciouslyconstructed.Thisproblemiswellillustratedbytheconventional2-207problem,wherethepartieshaveexchangednon-matchingformsandthecourtmustcompilea“contract”expost.214

Courts appropriately compile into the stack those promissorystatements,whichseemtoindicatetransactionalintent.Thus,termsandconditions,becausetheyclearlyindicatetheparties’intenttocon-tract,arealmostcertainlypartofthestack.Sotooaremostpublishedwhitepapers,whichmakenumerouspromisesaboutwhat’stobede-livered, even though in some ways they are offers directed to theworld.Thereasonisobvious:whitepapersarethebestevidenceofwhatthecodesupplierintendstocreate,andthewaythatcounter-

212. Somehavearguedthattheparolevidencerulewouldmakeitdifficult“forthepartiestoprovetheir intenttocontractbypointingtoothercircumstances,suchasprior dealings or negotiations.” AnnaDuke,WhatDoes the CISGHave to Say AboutSmartContracts:ALegalAnalysis,20CHI.J.INT’LL.141,159(2019).Thisisextremelypuzzling,astheruleitselfonlyappliestofullyintegratedagreements.Otherssuggestthatwhenthepartieshave“signedandverifiedthatthecontracthadbeenaccuratelytranslatedintocomputercode,” itwillbedifficult forthemto laterarguethattherewereadditionalterms.AlanCohn,TravisWest&ChelseaParker,SmartAfterAll:Block-chain,SmartContracts,ParametricInsurance,andSmartEnergyGrids,1GEO.L.TECH.REV.273,281(2017).Thistooisconfusing,sincethetypicalwaythatpartieswouldverifythatthecontractiscorrectwouldbetoagreetothatstipulationinanaturallan-guageagreement. 213. SeeGregoryKlass,ParolEvidenceRulesandtheMechanicsofChoice,20THEO-RETICALINQUIRIESL.457,464(2019)(“[A]writingisintegratedifandonlyifthepartiestogetherintendedthatitwouldserveasafinalstatementofsomeoralltermsoftheiragreement.”). 214. SeeJohnD.Wladis,TheContractFormationSectionsoftheProposedRevisionstoU.C.C.Article2,54SMUL.REV.997,1011(2001)(“[T]heexchangeofnon-matchingrecordsrarelyinvolvesparolevidenceissuesbecausethereisusuallynoonerecordthatisafinalexpressionoftheparties’agreement.”).


parties are enticed to invest, contribute funds, or otherwise trans-act.215Itmightbe(aswewillexplore)thattermsandconditionspro-videbetterevidenceof intent thandowhitepapers,whenbotharepresent,butasastartingpoint,thewhitepaperoughttobeconsid-eredaspartoftheset.

Moretransientpromises,likethosemadeonsocialmediaposts,onReddit,orviavideo,arealsoplausiblecandidatesforthestack.Ju-ristswillaskiftheymakepromisessufficientlydefiniteandcertaintoenable a fact finder to generate thegrist forobligation.216Thiswillturnonthenatureofthepromisesmade.217DoesapostonRedditstat-ingthepreciseamountofacappedsupplycount?218Wethinkso.Butonethatstatesthat“peoplewillhaveanextendedperiodduringwhichtheycanburn”withoutmoredetailseemstobetoovaguetogenerateobligation.219

Thehardestproblem is the contractual statusof the script, in-cludingitscommentary.It’shornbooklawthatthepartiescanuseci-phers toexpress themselves,and thatcourtsought toenforcesuchcodedmeanings“howeverwemaymarvelatthecaprice.”220Indecid-ingwhethertogiveeffecttoprivatemeanings,courtstraditionallyen-gageinahypotheticalinquiry:ifthepartieshadbeenqueriedatthemomentofcontractingaboutthemeaningofaparticularterm,whatwouldtheyhavejointlysaid?Courtswillthusself-consciouslyadopt

215. SeeMURRAY,supranote185,§2.12[1](describinga“webpagewhosecontrac-tualnatureisnotobvious”asonewherecourtswillaskif“therecipientactuallyknowsorhasreasontoknowofit[when]sheassentstoit”). 216. Seeid.§1.11(defininganofferas“anactwherebyonepersongivestoanotherthelegalpowerofcreatingtherelationcalledcontract”). 217. ForexamplesofthesortsofmarketingpromisesmadeinICOdisclosures,seeShaanan Cohney, DavidHoffman, Jeremy Sklaroff &DavidWishnick,Coin-OperatedCapitalism Appendix C, COLUM.L.REV., https://columbialawreview.org/content/coin-operated-capitalism-appendix-c[https://perma.cc/QGE7-H7AF]. 218. See,e.g.,u/helloicon,ICONTechnicalQ&ASummary,REDDIT(Sept.18,2017,1:06 AM), https://www.reddit.com/r/helloicon/comments/70t56h/icon_technical_qa_summary[https://perma.cc/5XJZ-APCB](answeringquestionsregardingthetech-nicalitiesrelatedtoICON). 219. See aetrnty,BurningToken, REDDIT(Sept. 10, 2017, 1:42PM), http://www.reddit.com/r/Aeternity/comments/6za07b/burning_token[https://perma.cc/K3QQ-PJBL]. 220. 5MARGARETN.KNIFFIN,CORBINONCONTRACTS: INTERPRETATIONOFCONTRACTS§24.9(JosephM.Perilloed.,rev.ed.1998);see,e.g.,Hurstv.W.J.Lake&Co.,16P.2d627, 629 (Or. 1932) (holding the term “minimum 50%” to encompass “as low as49.5%”);Smithv.Wilson(1832)110Eng.Rep.266,266;3B.&Ad.728,728(holdingthat“parolevidencewasadmissibletosh[ow]that...thewordthousand,asappliedto[thecontract],denotedtwelvehundred”).


the parties’ expressed “vernacular.” 221 Unilateral and uncommuni-catedmeaningbearaslittleontheproblemofcontractualinterpreta-tionasthepublicmeaningsthatthepartiesmeanttocastaside.222

Atraditionalrequirementaboutnon-traditionalcommunicationsisthatthepartyagainstwhomtheywouldoperatereasonablyunder-standsthemtobecontractualinnature.223Contextmatters:themoreimpermanentthemedium,thelessobviousitshouldbethatabargainresultsfromtheposting.224Thisiswhy,inanoldcase,acourtfoundthatthelanguageonthebackofcoatcheckticketswasunenforceable:such scraps “didnot arise to thedignityof a contract.”225Promisesmadeintermsandconditionsfeellikecontracts(moreorless),whilethosemadeonTwittermaynot.226

But how about the code? The primary objection to includingscriptsaspresumptivesourceofcontractualintentisthatcodedoes,itmakes no promises to do. True, those in the know can learn thecoder’ssophisticationfromherscript’seleganceandeconomy,justasconnoisseursoffontwillmakeinferencesbasedonthisArticle’stype-setting.Butthat’snotthesameasthesortofpromissorycommunica-tionthatnormallygeneratesobligation.Moreover,becausethecodeisinherentlybuggy—aswehaveexplored—includingitintothestacknecessarilymeans that courts are adopting ambiguous evidence ofwhattheparties“really”meantoaccomplish.

Ofcourse,naturallanguageisbuggytoo,ascenturiesofexperi-enceswithcontractinterpretationproblemsmakeclear.Andthecodeisfestoonedwithnaturallanguagecommentsandcommitlogs,whichdo,implicitlyorexplicitly,statewhatthecodersaretryingtoaccom-plish.Mostimportantly,inlightofthesocialconventionsofthescript-

221. KNIFFIN,supranote220,§24.13. 222. Id.§24.6. 223. MURRAY, supra note 185, § 2.12[1] (discussing non-contractual documentsthatarenotenforcedforlackofinquirynotice). 224. Insomecontexts,statementsdirectedatthewholeworldwillbedeemedtobeadvertisements.Id.§2.4.Butsincewhitepapersandthelikearen’tconsideredintheabstracthere,butratherwhenaccompanyingthescriptswhichputthemintoef-fect,thebetteranalogyisthesupermarketcirculardistributedatthegroceryitself.Id.§2.7. 225. Healyv.N.Y.Cent.&HudsonRiverR.R.Co.,153A.D.516,519–20(N.Y.App.Div.1912). 226. SeeBerksonv.GogoL.L.C.,97F.Supp.3d359,382(2015)(arguingthatelec-tronic contracts “require clearer notice than do traditional retail”). But cf. KristenChiger,WhenTweetsGetReal:ApplyingTraditionalContractLawTheoriestotheWorldofSocialMedia,3ARIZ.STATEU.SPORTS&ENT.L.J.1,6(2013)(findingthattweetscancreatecontractualobligation).


ingindustrytoday,itisreasonabletoconcludethatparticipantsbe-lieve that the code-and-comments create obligations, i.e., that thescriptiscontractualinnature.Theveryterm“smartcontracts”justi-fiesthisconclusion.Therhetoricofexchangingincontractingshouldbeconstitutive.

This conclusion is strengthened in light of our focus onpublicblockchains, where all of the relevant parties have access to thescripted rules, can inspect them, and can read the associated codecommentary.Bydefinition,wehaveexaminedscriptsthatareopentobilateralinspection.Itwouldbeasifwewereconsideringacontractabouttheimportationofchickenfromabroad,betweenpartiesfromdifferent countries, that expressly incorporated a foreign languagedictionary,andthendeniedthatdictionary’srelevanceinunderstand-ingtheparties’meaning.Courseofperformanceistypicallyseenasastrongsignalofmeaning:thescriptisyetaclearersignal.Itistheex-pressed performance itself, fixed contemporaneously with agree-ment.(Ifthecodewerenotpublic,aswe’lldiscussbelow,itsrelevancetodiscerningtheparties’agreementwouldbemoreobscure.)

Incentivesprovideafinalreasontoincludecodeinthestack.Iflawyersareonnoticethatthecodehaslegalrelevance,thatitcancre-ateordestroyobligation,orhelpjuriststointerpretthem,theywillbegintopayattention.Thescriptingindustryatthemomentiscov-eredbyfewspecificrules,becauseofuncertaintyaboutthenatureofthe underlying asset type. Private regulation through lawyering—havinglawyersworktounderstandexactlywhatthescriptsaysandinquirehowitmightgowrong—isawaytohelptocivilizethiswildwest.Thatis,bringingthescriptintothecontractstackwillmotivatelawyers tocareaboutcoding,andcoders, andconsequently reducethelikelihoodofpromissoryfraud.227

B. TENSIONSWITHINTHESTACKWhat happens if there are differences in what’s promised be-

tweenelementsofthestack?Allenarguedthatquestionsofintentareparticularlydifficultwheninterpretingcode,astheformallanguagemighthavemeta-logics—internalandintentionallychosengoals(like,forexample,compactness).228Hethus,suggeststhatcourtsmayneedtomodifytraditionalcanonsofinterpretationtothinkabouthowtobestcapturetheparties’meaningwhenworkingthroughlayersofa

227. Somemayworry that lawyerswill seek tocleancodeof commentaryalto-gethertoreduceinterpretativeoverhang.Butitwillbeextremelydifficult,ifnotim-possible,todosowithoutleavinginculpatoryevidentiarytraces. 228. Allen,supranote33,at341.


stack.229Hegivesnofurtherdetails,andthisnextpartelaboratesontheproblem.

Courtswilloftensaythatinterpretationoughttomakesenseofthe“contractasawhole,”thatis,“theentiredeed,andnotmerelyupondisjointedpartsofit.”230That’sparticularlytruewhenthepartiesex-press their agreements in multiple documents. 231 In determiningmeaningwhen there is ambiguity, extrinsic evidence—that is, any-thingother than the contract itself—is commonly admitted.232Thisleadsusnaturallytoacanonseekingharmonization.

WestartbyreturningtotheICOexample.Atleastuntilrecently,

itwascommonforwhitepaperstomakepromisesaboutgovernanceinICO“smartcontracts,”butneglecttowriteactualscriptscontainingsuchcodedrules.233Inourview,thestackasawholeoughttobereadtobemakingapromise:theabsenceofprotectioninthecodeshouldnotbedispositive.If,forexample,theprojects’foundersweretotakeassetsinviolationofatextualvestingpromise,anactionoughttolieforbreach.That’strueeventhoughaninformedreaderwithanun-derstandingofSoliditywouldhavereadilyobservedthatthetokenscontainednopromises.(Most,infact,wereessentiallytheunmodifiedERC-20code.)Thepointisthatalegallyinformedreadercouldbelievethosepromisestobeenforceablebasedonthewhitepaperalone,andtheirrepetitionwithinthescriptunnecessary.

Conversely,when thenatural languagedisclosuressaynothingabouttheabilitytomodifyrightsdescribedashavingbeencreatedin

229. Id. 230. KNIFFIN,supranote220,§24.21(quotingBlackstone). 231. SeeRESTATEMENT(SECOND)OFCONTS.§202(2)(AM.L.INST.1981)(“[A]llwrit-ingsthatarepartofthesametransactionareinterpretedtogether.”). 232. NotethatNewYorkcourts,likemanyothersinamodernformalisttrend,takeadifferentapproach.See,e.g.,GilbaneBldg.Co./TDXConstr.Corp.v.St.PaulFire&MarineIns.Co.,97N.E.3d711,714(N.Y.2018)(holdingthatextrinsicevidenceregard-ingintentshouldbeadmittedonlywhentheparties’agreementisunclear). 233. Forexample,theMonacoprojectpromisedthatitssupplywouldbecappedinatransactionalscript:“TheMCOsmartcontractwillstopacceptingcommitmentsat888,888ETH hard cap.” MONACO, MONACOWHITEPAPER 8 (2018), https://whitepa-perdatabase.com/wp-content/uploads/2018/03Monaco-MCO-Whitepaper.pdf[https://perma.cc/7GKB-9D2D]. But our audit disclosed no such scripted commit-ment.SeeCohneyetal.,supranote2,app.B.

Canon 2: Where Possible, Interpret the Stack to HarmonizeMeaning.


atoken,butthescriptappearstopermitmodification,wemightcon-clude that the contract stack permits unilateral changes. 234 In thesearchtounderstandwhatthecontractstackpromises,neithercodenorscriptoughttoprevailovertheother,againunlessthepartiesoth-erwiseindicate.Thegoalistodeterminewhatthepartiesintended,expressedinwhateverciphertheychose.Weshouldnotaprioridis-missrightsprovidedincode.

TheTokenStoreproblemoffersanothersettingfortheharmoni-zationprinciple.RecallthatTokenStorehadavestigiallegalwrapinplace:ahandfuloftwitterandmediumposts,makingvaguegesturesabout the exchange’s commitment to being a hands-off-enterprise.Thecodepermittedtradererrors—indeed,itdidnothingtopreventthem. However, the code commentary stated that “we [i.e., Token-Store’soperators]validate thecontentsandthecreatoraddress”ofthe“orders.”

It’s not clear what thewriters of this comment intended it tomean. Inprogrammingcommunities,validatecantakeonanarrowmeaning—someonecanenteran“inputinaformthatisnotexpected,”leadingto“alteredcontrolflow,arbitrarycontrolofaresource,orar-bitrarycodeexecution.”235Butitcanalsotakeonabroadermeaning,i.e., that thecodeproducescommercially reasonable results.236Andperhaps such narrow programming meanings are only relevant incommercialmarkets,sothat“validate”oughttotakeonanordinarymeaning, i.e., “tomake legally valid.” Thiswouldmean that the ex-change bears the risks of obvious errors. Such a readingwould behelpfultoatrader’sactionforrescissionbasedonmistake(whichwillturninpartonwhatthecontractsaysaboutrisk)aswellasthatforordinarybreachofcontract.Inourview,thecorrectapproachagainwouldseektomakesenseofthegestaltproject,treatingthecodeanditsnaturallanguagecommentsasguidestotheparties’jointintent.

234. SeeCohneyetal.,supranote2,at630–34.Ofcourse,acourtcouldfindthat,inlightofanindustry-widepracticeofdescribingrightsas“immutable,”silenceinonelayer of the stack should be interpreted against a commercial backgrounddenyingmodifiability.Id.at615n.114. 235. CWE-20: Improper InputValidation, COMMONWEAKNESSENUMERATION (Sept.19,2019),https://cwe.mitre.org/data/definitions/20.html[https://perma.cc/C3GA-FM6Y]. 236. SeeDataValidation:OSWAPGuide toBuildingSecureWebApplicationsandWeb Services, COMMONOPENWEB APPLICATION SEC. PROJECT (Jan. 5, 2006), https://searchsoftwarequality.techtarget.com/news/1156594/Data-validation-Chapter-12-OWASP-Guide-to-Building-Secure-Web-Applications-and-Web-Services[https://perma.cc/P8GG-VG7F] (“Businessrules [e]nsure thatdata isnotonlyvalidated,butbusinessrulecorrect.”).


Harmonizationbecomesdifficultwhenpartsofa contract con-flict.237Whenpiecesofadeal counterpose, courts traditionally firstseektoascertaintheparties’principalpurpose,andthentoadvanceitbydecidingoutwhichpiecesofevidencetoprivilege.238Forexam-ple,handwrittentermsprevailovertypewrittenterms,andspeciallytyped provisions control over pre-printed forms. 239 Courts fore-groundthoseprovisionsthattheybelievearebestindicatorsofwhattheparties“really”meant.240

Scriptedexchangewillsometimesalsoposeproblemsofincon-sistent intent.Giventhatpiecesof thestackarewrittenatdifferenttimes, by authors with distinct professional backgrounds, and in-tendedfordifferentreaders,weshouldanticipateconflictsinmean-ing. As a default rule,we’d propose a hierarchy ofmeaning,whichprivilegesnaturallanguagewrappingtextovercodewhentheycon-flict.

Bywrappingtext,wemeantoincludeanytextthatisoutsidethe

codeitself,butwithinthestack.Whensuchtextconflictswithcode,we think the parties’ contract—what they can sue on—most likelyturns on their natural language expression.241 This is a pragmaticchoice.242AswiththeQuoinetribunal,mostjudgesaregoingtohaveanaturalaffinityfortextthattheycanreadwithouttheaidofanexpert

237. Cf.Surden,supranote32,at657(“Aprimaryunresolvedtensionmayoccurinfuturescenarioswherethereisbothawrittenanddata-orientedrepresentationofthesamecontractualexpression,withinterpretationsthatdiffer.”). 238. SeeKNIFFIN,supranote220,§24.20(“Whentheprincipalpurposeofthepar-tiesbecomesclear,furtherinterpretationshouldbeguidedthereby.”). 239. Seegenerallyid.§24.23,at236,251(discussingvariousrulesthatcourtsusetoreconcileconflictingcontractterms). 240. Seeid.§24.9,at59(“Acourt’spurposeinusingextrinsicevidencetointerpretacontractisdiscernmentoftheparties’intentions.”). 241. SeeRohr,supranote33,at85(“[C]ode[thatautomatesalargeragreement]islikelytobeviewedasacomponentofperformancethatonepartywillattempttoproveisnonconforming.”). 242. Foradefenseofasearch-costsbasedtheoryofparolevidenceandotherrulesthatlimit“idiosyncraticunderstandings,”seeJoshuaA.T.Fairfield,TheSearchInterestinContract,92IOWAL.REV.1237,1265–67(2007).

Canon3:Incasesofconflict,privilegenaturallanguagepromisesover coded ones: i.e.,wrapping text, commitmentmessages andcodecommentaryovercode,highlevelcodeoverbytecode.


translator.243Theywillarguethat“noonereadssmartcontracts.”244(Thefactthatnoonereadsregularcontractsisequallytrue,thoughitfeelseasiertoblamethemforit.)245Ofcourse,justlikecontracttext,codecanbe“read,”andoftenresultsfromasimilariterativedraftingprocessasold-fashionedcontracts.

Why,then,privilegeEnglishoverCode?Onereasonsoundsintheclassicworriesaboutopportunismandbadfaiththatdrivesmanyju-dicialtreatmentsofadhesioncontracts.Ifpartiescouldavoidacon-tractualpromisebynegatingitincodethatyouhadnoreasontothinkwould be read,wewould rightlyworry about promissory fraud orotherformsofbait-and-switchbehavior.Thoughtoday,manyusersoftransactional scripts are sophisticated—even to access scripts, youusuallyinstallspecializedsoftwareonyourcomputer—thatmaynotbethecasegoing forward.GiventhatEnglish iseasier toreadthanSolidity and other high-level programming languages, courts willlikelyprivilegenaturallanguagepromiseswherevertheycan.

Butatadeeperlevel,ourintuitionisthatcourtsimaginetheyarelookingforsomethingtheycall“real”intent,whichisreallymorelikewhatthepartiesexpressedabouttheirintenttotheworld.246Justaswithotherformsofcommercialtransactionsdraftedandenteredinstages,discerningrealintentisoftenafool’serrand.247Thatinquiryfalselyimpliesthatthepartiesgavetheproblemsomethought.Whencourtsspeakaboutintent,theyareengaginginahypotheticalandim-aginativeexercise,whichentailssignificantdegreesofanalyticfree-dom.Butimaginativeexercisesmustbeexplainableinpublicjudicial

243. In consumer-facing transactions, courts alsomayworryabout exploitationwhen parties use language that is hard for adherents to understand. See, e.g.,FrostifreshCorp.v.Reynoso,274N.Y.S.2d757,759(N.Y.Dist.Ct.1966)(findingthattheadherentswere“handicapped”bycontracttermswritten“inalanguageforeigntothem”). 244. Cohneyetal.,supranote2,at598. 245. SeeTessWilkinson-Ryan,APsychologicalAccountofConsenttoFinePrint,99IOWAL.REV.1745,1751(2014)(“[O]neofthetruismsofempiricalcontractsresearchisthat‘nobodyreads.’”). 246. SeeRohr,supranote33,at78(discussinghowcourtscanderivetraditionalcontractformationconcepts,likeintent,fromavendingmachinetransaction). 247. SeeDouglasG.Baird&RobertWeisberg,Rules,Standards,andtheBattleoftheForms:AReassessmentof§2-207,68VA.L.REV.1217,1219(1982)(notingthatthelawcannotresolvethebattleoftheformsbyinquiringintotheparties’intent);GRANTGIL-MORE,THEDEATHOFCONTRACT46–47(2ded.1995)(“If...‘theactualstateofthepar-ties’minds’isrelevant,theneachlitigatedcasemustbecomeanextendedfactualin-quiryintowhatwas‘intended,’‘meant,’‘believed’andsoon.”).


opinions,andthusrelytoadegreeontextthatcanbereadbythewid-est audience, and that is susceptible to the cheapest judicial over-sight.248

Aswe’veshown,codeisirreduciblybuggy,andthenormalwaysthat coders handle error—by iterating better versions—may nottranslatewelltoscriptedexchange.Codesimplyisn’taverystraight-forwardwaytoexpresstheparties’intent.Bycontrast,partieshavehadhundredsofyearsofexperiencecontractinginEnglish(orFrench,orEsperanto,turningonthecourt’sandparties’nativetongue).Un-lessthereisgoodevidencethataparticularlineofcodewasmadesa-lient—forexample, if it isreferredtoby linenumber inthenaturallanguage contract itself—courts should conclude that text trumpscode.249Acombinationofrealismandefficiency,attheendoftheday,willprivilegepubliclyaccessiblemeaning.250

Whetherthetextwrappinglayershoulddisplacecasecommen-taryandcommitlogsisamuchharderproblem.Here,theconcernsaboutpubliclyaccessiblemeaningdropaway,sincecodecommentaryisgenerallywritteninEnglish(oratleastacodingdialectthatcanbegrokked).Theremainingissueiswhethercommentaryintendingtoexplain a cipher is as good evidence ofwhat the exchangewas in-tendedtoaccomplishasthewrappingtext’smorelegalisticframe.

Ontheonehand,thecommitlogsandcommentaryareintegraltothecodeitself,expressedcontemporaneouslywithitsfixationandwiththegoalofrevealingits intent.251It isthe“crownjewel”ofthe

248. Oneanalogyisthecourts’treatmentofdisputesaboutmeaningbasedondif-ferencesintheparties’respectivenativetongues.See,e.g.,FrigalimentImportingCo.v.B.N.S.Int’lSalesCorp.,190F.Supp.116(S.D.N.Y.1960).Insuchcases,thecourtsmayadoptthebroadestandwidest-sharedmeaningavailable. 249. Rohrpoints out that courts thathave analyzedvendingmachine contractsweredrawntomeetingofthemindanalogies,evenwhentheyplainlywereinapt.Rohr,supranote33,at80(“Vendingmachinecasesare...predictiveofthetypesofissuethat...[will]ariseasjudgesattempttoapplyfoundationalcommonlawcontractprin-ciplestosmartcontractsgoingforward.”). 250. Foradifferentdefenseofpubliclyaccessiblemeaning,seegenerallyAaronD.Goldstein,ThePublicMeaningRule:ReconcilingMeaning,Intent,andContractInterpre-tation,53SANTACLARAL.REV.73(2013),whicharguesthatextrinsicevidenceshouldbelimitedtopublicandsharedmeaningtoavoidgamesmanship. 251. SeeDanielaSteidl,BenjaminHummel&Elmar Juergens,QualityAnalysis ofSourceCodeComments,in2013IEEE21STINT’LCONF.ONPROGRAMCOMPREHENSION83,83(“Asignificantamountofsourcecode ...consistsofcomments,whichdocumentthe implementationandhelpdeveloperstounderstandthecode ....Commentsarethesecondmost-useddocumentaryartifactforcodeunderstanding,behindonlythecodeitself.”).


code,layingbareits“innersecrets.”252Codecommentaryandcommitlogsare thus like thedefinitionsectionofanordinarycontract: thevery best evidence of meaning. 253 Consequently, commentary andcommitlogsshouldbeprivilegedoverthecodeitexplains.

That said, somemightworry that code commentary (and, to alesserextent,commitlogs)isintendedtobedisposable254—itmightsignalwhatacoderhopedtoachievebut isnot likely tohavebeenwrittenwithparticularcare.255Forexample,aswediscussedabove,mostopensourcecodetodayisreusedfromscripttoscript.Thus,it’snotnecessarily(orevenusually)thecasethatthecommentarywaswrittenwithasingularproject’sgoalsinmind.Blindlyadoptingsuchcommentary as gospel risks being misled as to what the partieswanted,justas(forexample)adoptingboilerplatecan,overtime,leadpartiestousetermsthateventheydonotunderstand.256

Evenconsideringtheserisks,commentaryandcommitmessagesshouldhavethesameinterpretativeweightasnaturallanguagecon-tractterms.True,theymightnotprovideclearevidenceofpromissoryintent.But the sameobjections canbemadeaboutboilerplate thattravelsfromdealtodeal.Moreover,thoughit’struethatsomecoderstreat commentary and logs as disposable, well-counseled projects,

252. JeffreyD.Sullivan&ThomasM.Morrow,PracticingReverseEngineeringinanEraofGrowingConstraintsUndertheDigitalMillenniumCopyrightActandOtherProvi-sions,14ALB.L.J.SCI.&TECH.1,17(2003)(“Reverseengineeringdoesnotlaybareaprogram’s inner secrets. Indeed, itcannot. The inner secretsof aprogram, the realcrown jewels,areembodied in thehigher levelsofabstractionmaterialsuchas thesourcecodecommentaryandthespecification.”). 253. Theremaybeexampleswherecodersmakeanexplicitattempttosynthesizethesemanticcontractwithinthecode.See,e.g.,LEXON,http://demo.lexon.tech/apps/editor [https://perma.cc/DY2R-4X4D] (embedding human readable semantic con-tractwithincompliablecodethatexportstoSolidity). 254. Andrew Johnson-Laird,SoftwareReverseEngineering in theRealWorld, 19DAYTONL.REV.843,857(1994)(“[Sourcecodecommentary]istheequivalentofmar-ginalannotationsandisintendedtoassisttheoriginalprogrammerorthosethatfol-lowinunderstandingwhytheprogramwascraftedinaparticularway,ortoexplainaparticularlycomplexflowoflogic.Therearenorestrictionsonwhatmustormustnotbewrittenincomments,but inevitablytheyaretherepositoryofall theknowledgethattheprogrammerhasinhisorherheadasthecodeisbeingcreated.Onealsofre-quentlyseesacertainirreverenceinthecommentarywhichisaby-productoftheex-uberanceofprogrammersandisbestnottakentooseriously....”). 255. Cf.Haqueetal., supranote52,at58(“Another [developer]mayconstantlycontributeahighvolumeoflinesoveralongperiodoftime,butstillbeafunctionarywhoseworkiswhollynon-essentialandcouldeasilybereplacedbyothers.”). 256. SeegenerallyStephen J.Choi,MituGulati&RobertE.Scott,TheBlackHoleProblem in Commercial Boilerplate, 67 DUKEL.J. 1, 2 (2017) (describing pari passuclausesas“astandardprovisioninsovereigndebtcontractsthatalmostnooneseemstounderstand”).


knowing the rule thatwepropose,wouldbewell-positioned toex-pandoncommentarybeforedeployingascript,andimposedisciplineovercommitsthataremergedintotheproject.Theresultcouldbean-otheropportunitytosurfaceandcorrectbugs,whilealigningthepar-ties’expectationswithwhattheyreceive.And,ofcourse,thisisjustadefaultrule:thepartiesmayexpressadifferentrulebycontractingforit.257 Finally,wethinkthatthesourcecodegenerallyisabettersourceofmeaningthanthecompiledbytecode.That’ssobecausethesourcecodeis,inbroadstrokes,readablebyhumanswiththeexerciseofrea-sonableeffort,meaningthatallpartiestoatransactioncangainsomeinsightas towhat they’veagreed.Thealternative,whichholds thatbytecodeisthe“real”contract,seemslikelytoleadtoembarrassingresults.Forexample,considerthis“onlineuseragreement”thatalawstudentconfronted:

257. Cf.Surden,supranote32,at652(“A‘data-meaningthresholdagreement’pro-videsspecificinterpretations[forcomputablecontracts].”).


Figure5258This is not bytecode, but rather an erroneous encoding of the

bytesintotheglyphsthatrepresentthem.Obviously,clickingontheagree box wouldn’t bind anyone—the gibberish communicates nomeaningful information to humans (even if some computer, some-where,couldmakesenseofit).Bytecodeislikewiseattheverybot-tomofourinterpretativehierarchy,asdecodingitrequirestheexer-tion of effort and expertise likely beyond the capacity of thecontractingparties.

These interpretive principles ought to giveway depending oncontext. Thus,we imagine that ephemeral contractual promises—a

258. Samuel P. Morse (@SamuelPMorse), TWITTER (Sept. 13, 2019, 8:10 AM),https://twitter.com/SamuelPMorse/status/1172497664799363075 [https://perma.cc/3KZ2-TY4F].


straytweetbyaprojectmanagerpromisingaparticularoutcomeofthe script—would likelynotdisplace awell-curatedGitHub reposi-tory.Or,apieceofcodecommentarythatmakesajoke.Here,again,ourargumentrestsonapragmaticjudgmentastowhatcourtswilldo,which in turn relates to the parties’ reasonable, commercially-in-formedexpectations.259Themorepermanent,consideredandreliabletheevidenceofapromise—themore,inotherwords,itwouldberea-sonabletorelyuponit—themoreacourtislikelytoconsideritareli-ablebasisofthebargain.

Finally, consider a problem of interpretation that has no easynon-scriptedanalogue.Whatiftheprogrammers’intentisinternallycontradictoryandisrecordedassuch?Ofcourse,courtswilloftensaythataparty’sprivatemeaningoughttobediscountedwhenascertain-ingthesharedintentofthetransaction.Thus,simplybecauseonelaw-yeronateamthoughtthat“black”means“white”doesn’tmeanthatthetermtakesonthatmeaning,unlessthatlawyercommunicatedhermeaningtotheothersideinawaythatseemedauthoritative.260Thisiswhysomehavearguedthatvisiblemetadataoughttobearonmean-ing.261

Evidenceofinconsistentdrafterintentinthetransactionalscriptcontextisdifferent.Giventheuseofversioncontrolsystems,boththeexpressionofcodeandtheidentityofwhowroteeachlineofhuman-readablecodemaybeknowableatthemomentthecounterpartyin-spectstheterms,andcertainlyatthemomentofformation.Soisthecommentary.Becausethecodeispublic,allpartiescanseethecon-flictingevidenceofmeaningatthemomentthecontractisentered:itisliketheparties’finalexecuteddocumentincludedvisibleredlinedchanges.262Thus, a partymight encounter a piece of code that hasmultiple drafterswho appear to be communicating different goals.Whattodointhisscenario?

259. MURRAY,supranote185,§4.12(discussingtheroleofreasonableinterpreta-tionsindeterminingmeaning). 260. SeeCendantCorp.v.CommonwealthGen.Corp.,No.98C-10-034HLA,2002WL31112430,at*6(Del.Super.Ct.Aug.28,2002)(holdingthatacontract’s“MaterialAdverseChange”createdanissueofmaterialfactbecauseeachpartyhadplausible,butdifferent,interpretationsoftheclause). 261. See, e.g.,ThomasH.White,ParolMetadata:NewBoilerplateMergerClausesandtheAdmissibilityofMetadataUnder theParolEvidenceRule,4CASEW.RSRV.J.L.TECH.&INTERNET237,267(2012)(“Ifthemetadataisvisibleonthefinalversionofthecontract,thisshouldbeconclusiveweightinfavorofitsadmissibility[undertheparolevidencerule].”). 262. Foranargumentthatnon-resolvedtrackedchangesoughttobeincludedaspart of the integrated document, see Elizabeth A. Janicki,Contracts as Speech Acts:BringingJakobsontotheConversation,107GEO.L.J.201,218n.113(2018).


Thesimplestanswer—harmonizationwiththerestoftheagree-mentandwiththesocialcontext—isprobablybest.Butitsapplicationissubtleandrootedinthesociologyoftheoperativecodingcommu-nity.Weoughttoprefer(andrenderoperative)themeaningsofcod-erswhoadvancethelargeragendaoftheproject,totheextentitcanbereconstructed.263Failingthat,weshouldpreferlaterintimetoear-lierintimepiecesofcode,andcodewhichhewscloselytothecom-mentarythatsurroundsit.Thesematchthebackgroundrulesofcon-tractinterpretation,whichgenerallyseektofindandgiveprioritytothebestavailableevidenceof theparties’expressedand integratedintent.

Overall, this interpretative hierarchy, which promotes super-visedcodingandlast-in-timesyntax,arisesoutofthesameintuitionsthatgeneratetheparolevidencerule.RecallCorbin’sfamous,thoughnotuniversallyaccepted, rationale for therule.264Itwasnot,hear-gued, primarily about controlling self-serving frauds by excludingconvenientex-post evidenceofmeaning.265Rather, the rulewas in-tended to give priority to the parties’ fixed agreement: to discardthoseearlieragreements,negotiationsandunderstandingswhichhadnotmadeitintothefinalandbindingcontract.266Onthequestionofwhethertheparties intendedaparticularexpressiontobethefinalexpression, “no relevant evidence, [] parol or otherwise, is ex-cluded.”267Butevenifadmitted,courtscouldclearlyweighsuchevi-denceandfindthat“themorebizarreandunusualanassertedinter-pretationis,themoreconvincingmustbethetestimonythatsupportsit.”268

263. SeeHunn,supranote31,at281(“[I]ncreasingattentionisgiventoarchitect-ingsmart legalcontracts ‘ina languagethat isbothhuman-intelligibleandmachinereadable,whose text incorporatesanalgorithmwhichautomatessomeorallof theperformanceoftheagreement.’”(quotingJ.G.Allen,WrappedandStacked:‘SmartCon-tracts’andtheInteractionofNaturalandFormalLanguage,14EUR.REV.CONT.L.307,313(2018)). 264. SeegenerallyArthurL.Corbin,TheInterpretationofWordsandtheParolEvi-denceRule,50CORNELLL.Q.161,189(1965)(“[A]ntecedentagreements ...areren-deredinoperative[evidence]byhavingbeendischargedbyasubsequentagreementthathasbeendulyprovedandinterpreted.”). 265. See PETERLINZER, CORBINONCONTRACTS:PAROLEVIDENCEAND IMPLIEDTERMS§25.2,at6(rev.ed.2010)(“[Corbin’s]statementofthe[parolevidence]...hadnoth-ingtodowiththereliabilityoforalorwrittenevidenceofintent;ithadtodoonlywithwhatthepartiesactuallywantedtobethefinalwordoftheiragreement.”). 266. Id. 267. Id.at9.ButseeKlass,supranote213(describingsometheorists’viewthatintegrationalsocontrolsinterpretationevidence). 268. LINZER,supranote265,§25.4,at32.


Onthisunderstanding,ifatransactionalscript’spromotersseemtoadvancemultiplepotentialpurposesatoddswithoneanother,acourtoughttoidentifythosetermsthatbestmatchthereasonableex-pectationsofthepartiesatthemomentthatthecounterpartycommit-tedtotheparticularexchange.Theexistenceofpriorconflictingtermswould still bepotentially relevant, but theyought to bede-empha-sized.

Inapplyingthiscanon,considertheSynthetixexamplediscussedabove.Onepartydeployedabotthattookadvantageofacorruptedthird-partyoracletoexecuteatradewhichwouldhavegarnereditpo-tentiallyabilliondollarsinprofit.Presumablybecausethatamountwould have been uncollectable, the hacker settled for some undis-closedbugbounty,paidoff-chain.Neitherpartytestedwhatcontractlawwouldhavehadtosay.Butwecanspeculatesomewhatastoitscontents.

Canon1remindsustotakeupall thesourcesofmeaning.A li-cense, deployed by Synthetix, disclaimed all warranties as to theCode’s correctness. But its commentary promised that the quoteswerethe“currentmarketvalue.”Thus,ifacourtweretoaskifthepar-tiesintendedthisresult,theanswerwouldturn,wethink,onthehier-archyinCanon3.Inourview,asbetweentwokindsofwrappingnat-urallanguage,thecommentarytothecodeoughttotakeprecedenceovertheambiguouslicense,meaningthatSynthetixwouldhaveadif-ficulttimearguingthatwhatevertheoracledeliveredwas,forthepar-ties’purposes,actionable“marketvalues.”Attheveryleast,Synthetixshouldhavebornaheavyburdenofprovinganalternative.269Thus,Synthetix,whichpresumablywouldhave arguedmistake, probablyfairlybearstheburdenofathird-partydatasourcerisk.

Wehavesuggestedasetofdefaultrulesforinterpretingscripts.

Butwhatifthepartieswanttovarysuchrulesbyagreement:shouldwe give these scripted integration clauses force? 270 Offline, courts

269. The casewould have been differentwith an appropriate disclaimer in thetermsofuse,whichwehavenotyetfound. 270. SeeKlass,supranote213,at466–71(discussingwhenintegrationclausesarelegallyenforceable).SeegenerallyGregoryKlass,IntenttoContract,95VA.L.REV.1437,1442–43(2009)(discussingthelegalrelevanceofparties’intentwithrespecttolegalenforcement).

Canon4:WhereNaturalLanguageContractsRefertoCode,Inte-grationClausesShouldBeReadNarrowly.


havegenerallypermittedintegrationclausestocontrolwhichpiecesofpriororcontemporaneouscontractingareincludedwithintheliti-gateddeal, at least between sophisticated firms.271But courts havesometimesbeendubiousaboutattemptstointegratefuzzystacksandtolimitevidenceofmeaningthatappearsotherwiserelevant.272

Aproblemhereisthatsophisticatedprojectswillusuallydirectlyrefer to the script in thenatural language terms and conditions. Insuchcases,wethinkitisimpossibletoexcludethescriptentirely—inotherwords,wedon’tthinkthatscriptcanbebothpointedatandalsotreatedasextrinsicevidence.Thatwouldbemuchlikesayingthatanaddendumtoacontract,whichcontainsakeydescriptionoftherele-vantsubjectmatter,isnotapartofthedeal.

Whatpartiesmightdoistotrytousethenaturallanguagecon-tract todeterminemeaning.Natural language termsandconditionswouldstatethattheonlyoperativepromisesarethosefoundinthenaturallanguageitself,andthatpartiesshouldnotreadthecommen-taryinthescripttomakeadditionalorcontradictorypromisesaboutwhatitaccomplishes.Thiswouldnotdenythatthecodeisapartofthebargain,butratherwouldattemptto limitwhatcanbeinferredfromthenaturallanguagetextitcontains.Or,theconverse:thatis,thenaturallanguagemaydenyitsownefficacyandprivilegecode.

Thechoiceofwhethertodefertosuchattemptstocontrolmean-ingturnsonwhetherthecourtgenerallyadoptsamorecontextualormore formalist approach to interpretation.273Contextualism,whichdiscouragesopportunisticdraftingandthusprotectsconsumers,has

271. SeeKlass,supranote213,at475–78(arguingfora“hardexpressintegrationruleforfirm-to-firmnegotiatedcontracts”). 272. Cf. LINZER, supra note 265, § 25.7, at 61 (“[T]he essence of integration iswhethertheyintendedadocumenttobethefinalword,andevidenceofthisintentionshouldbefoundfromallsources,notjustthewordsofthecontract.”). 273. CompareWellsFargoBank,N.A.v.CherrylandMallLtd.P’ship,812N.W.2d799,810(Mich.Ct.App.2011)(admittingusageoftradenotwithstandingcontractualclausestatingthat“notradepractices...shallbeusedtocontradict,vary,supplementormodifyanytermofthisguarantyagreement”),withS.ConcreteServs.,Inc.v.Mable-tonContractors,Inc.,407F.Supp.581,584(N.D.Ga.1975)(“Thecourtrecognizesthatallambiguityastotheapplicabilityof tradeusagecouldbeeliminatedbyablanketconditionthattheexpresstermsofthecontractareinnowaytobemodifiedbycus-tom,usage,orpriordealings.”).SeegenerallyJoshuaM.Silverstein,ContractInterpre-tationEnforcementCosts:AnEmpiricalStudyofTextualismVersusContextualismCon-ductedviatheWestKeyNumberSystem,47HOFSTRAL.REV.1011(2019)(providinganempiricalstudyofjudicialandacademicdebateovertextualismandcontextualismincontractinterpretation);LisaBernstein,CustomintheCourts,110NW.U.L.REV.63,71(2015)(“Theenforceabilityandeffectivenessofageneralclauseoptingoutofalltradeusagesisatbestunclear.”).


muchtocommenditinmarketswheresharpdealingismorepreva-lent.274Fraudhasdefinedmanyblockchainproducts todate,ashasincoherenttransactionallawyering.Thisisnotaspaceproducingfor-malism’sbestfactualpredicates.

To the extent these issues seem fanciful, consider the DAOhack.275TheDAOwasatoken-mediatedplatformthatallowedsmallinvestors toenter jointly intoaventurecapitalpool.276Theentity’s“terms,”apartfromdisclaimingvariouslegalrights,statedthat“[t]he“useofTheDAO’ssmartcontractcode...carriessignificantfinancialrisk, including using experimental software.” 277 However, it alsostated:

274. SeeSilverstein,supranote273,at1018(notingthatcontextualistcourtscon-siderbothanagreement’slanguageandextrinsicevidencetodetermineambiguity). 275. SeeHaqueet al., supra at52, at39–45 (providinganoverviewof theDAOhack);seealsoLailaMetjahic,DeconstructingtheDAO:TheNeedforLegalRecognitionand theApplicationofSecuritiesLaws toDecentralizedOrganizations,39CARDOZOL.REV.1533,1536(2018)(analyzingthecorporatelegaltheoriesunderwhichthecrea-torsofTheDAOmightbeheldliableforthe2016hack). 276. Cf. Vitalik Buterin,Bootstrapping a Decentralized Autonomous Corporation:Part I, BITCOIN MAG. (Sept. 20, 2013), https://bitcoinmagazine.com/articles/bootstrapping-a-decentralized-autonomous-corporation-part-i-1379644274[https://perma.cc/6FNC-93QV]. 277. Terms: Explanation of TermsandDisclaimer,DAOHUB, https://daohub.org/explainer.html[https://web.archive.org/web/20160704190119/https://daohub.org/explainer.html].

Figure6:TheDAO’sTerms


The code repository containedanevenmore incoherent setof

disclaimers, includingareadmefilethatclaimedusingthesoftware“doesnot,inandofitself,createalegallybindingcontract,”andthat“inorderforyoutoformalegallybindingcontract...youshallseeklegal advice from an appropriately qualified and experienced law-yer....”278Thissetofdisclaimersappearstobeanattempttoshieldtheentityfromliabilitybyatonceembracingandrejectingcontractlaw.279

Afterusershadcontributedfunds,butbeforetheDAO’sownin-vestmentshadbegun, someonenoticeda flaw in its codewhichal-lowedsiphoningof$55million(ofaround$170milliontotalassets)outofthepool.Ethereum’sthendeveloperspromulgatedaproposedsoftwareupdate to the entireblockchain—ahard fork—whichwasadoptedbysome,butnotall,holdersoftheoriginaltokens.280

TheDAO’screatorshadsomewarningofthevulnerability.281Be-forethehack,acommentatorpostedaboutthevulnerability(titled,“Protect against recursive withdrawRewardFor attack”) and sug-gestedaseeminglyeasychange(reversingtheorderingoftwolinesofcode)whichwouldcloseit.282TheDAOmadethechange,reassuring

278. StephanTual,Postingto/blockchainsllc/DAO:UpdatedReadme,GITHUB(Apr.11,2016),https://github.com/slockit/DAO/commit/aceec3efcc8afd4277396ebc42628f2e5ca8dff2#diff-04c6e90faac2675aa89e2176d2eec7d8 [https://perma.cc/5HHY-5W4V]. 279. Foratrenchantanalysisoftheseissues,seeDrewHinkes,ALegalAnalysisoftheDAOExploit andPossible InvestorRights, BITCOINMAG. (June21, 2016), https://bitcoinmagazine.com/articles/a-legal-analysis-of-the-dao-exploit-and-possible-investor-rights-1466524659[https://perma.cc/XJK6-TCKB]. 280. Reyes, supranote30,at388; seeTheEthereumClassicDeclarationof Inde-pendence, ETHEREUM CLASSIC, https://ethereumclassic.org/ETC_Declaration_of_Independence.pdf[https://perma.cc/F6D5-7FSR](lastupdatedJuly2019)(declaringtheholders’ intentto“continuetheoriginalEthereumblockchain”anddecryingthehardforkasaviolationoftheblockchain’s“coretenets”). 281. See, e.g., Matthew Leising, The Ether Thief, BLOOMBERG (June 13, 2017),https://www.bloomberg.com/features/2017-the-ether-thief[https://perma.cc/N8RJ-F7RE] (“Gün ... had already been tracking and publicizing flaws in the DAO’s de-sign....[He]appearstobethefirsttopinpointtheflawthatputthemoneyinjeop-ardy.”). 282. LefterisJP, Posting tobloackhainsllc/DAO, GITHUB (June 12, 2016), https://github.com/slockit/DAO/commit/f01f3bd8df5e1e222dde625118b7e0f2bfe5b680?diff=split[https://perma.cc/87ZY-FD5V].


usersthat,“Theimportanttakeawayfromthisis...thisisNOTanis-suethatisputtinganyDAOfundsatrisktoday.”283Theupdatedver-sionwascalledTheDAO1.1“milestone.”Inthecode,thein-linecom-ment preceding the new revision on line 580 stated its explicitpurpose:

//wearesettingthisherebeforetheCALL()valuetransferto//assurethatinthecaseofamaliciousrecipientcontracttrying//tocallexecuteProposal()recursivelymoneycan’tbetransferred//multipletimesoutoftheDAO284

Assurancenotwithstanding,someonethenexecutedthefamoushack—inpart becauseTheDAO’s fixwas incomplete—transferringmoneymultipletimesoutofTheDAO.

Thus,hereweagainhaveastackofmeaningaboutwhatthepar-ties to the contract—The DAO’s creators and its investors—ex-pected.285But therelevantdocumentsarecontradictory.Theactualcodedidnotaccomplishwhatthecommentorwhitepaperpromised,afactthatsoonbecameobvioustoall.Moreover,theorganizersofTheDAOhadspecificallytoldusersthatthecodegoverned,evenastheydisclaimedthe legalenforceability inthecode itself.286Let’susethecanonstoofferasolutiontotheprivatelawcontractingproblemsthattheDAOoccasioned.

AsCanon1instructs,weoughttoconsideralltherelevantpiecesasevidenceofmeaning,andofwhatwaspromised.Thecode,termsandconditionsandreadmefilesareallapartofthestack.

Canon2suggeststhattheDAO’scounterpartiesreasonablycouldhavebelieved that theywouldnot face theriskof recursivemoney

283. StephanTual,NoDAOFundsatRiskFollowingtheEthereumSmartContract‘RecursiveCall’BugDiscovery,SLOCK.ITBLOG(June12,2016),https://blog.slock.it/no-dao-funds-at-risk-following-the-ethereum-smart-contract-recursive-call-bug-discovery-29f482d348b[https://perma.cc/2P4D-5QGB]. 284. LefterisJP, supra note 282, at line 580, https://github.com/slockit/DAO/blob/d48ee5c49f9dc3b9548623aa6985cbc3c9528b67/DAO.sol#L580[https://perma.cc/9KTB-7KWJ]. 285. SeeTanayaMacheel,TheDAOMightBeGroundbreaking,butIsItLegal?,AM.BANKER (May19,2016,3:12PM),https://www.americanbanker.com/news/the-dao-might-be-groundbreaking-but-is-it-legal [https://perma.cc/98RV-C7SB] (narratingStephanTual’sstatement,aprimaryorganizer,that“[n]oonebenefitsfromitexceptthepeoplethatsupportit.Evenwe,theoneswhoinventedit,getnothing”). 286. SeegenerallyKolber,supranote25,at221(“Note:Althoughtheword‘con-tract’isusedinTheDAO’scode,thetermisaprogrammingconventionandisnotbeingusedasalegaltermofart.”).


transfer.287 That promise, embodied in amarketing announcementandinthecodecommentsitself,is,itistrue,absentintheoperationalcode.It’sasifadoorwhichcontainedonitsfrontfaceasignstating“PrivateProperty:LockedDoor”wasfreelyopenablewithakeyhang-ingnearby.Ifsomeoneweretohavebeenharmedbyrelyingonthatsetofstatements,whensuinginfraudortorttheywouldfaceques-tions abouthowreasonable theirprecautionshadbeen.288But in acontractlawsuit,Canon3teachesthatcodeshouldbowtocommentsandcommitlogsinawaythatbestembodieswhattheprogrammersintendedtoaccomplishandthereforetowhattheyoughttobeheld.289Canon4tellsustodiscounttheattemptsatnon-integrationas,atbest,confused.

WethusdisagreewithTheDAO’sattacker,whoarguedthattheforkviolateditsrightsbecausethoseactionswereliterallypermittedbythecode.290Yes,codedraftersoughttobeartheinterpretativeriskof error.291 But the non-drafting counterparties whose funds weretakencouldnotreasonablybeexpectedtoknowthatthecodehadthatbug,giventhecommentarypromisingtheoppositeresult.Hadtheynotreceivedtheirmoneyback,TheDAO’sinvestorsshouldhavebeen

287. SeeRohr,supranote33,at89(notinganalogiestovendingmachinecasestofindthat“theagreementincludesonlythosetermsthatwerereasonablyavailabletoDAOTokenholderspriortopurchase”and impliedlyconcludingthat thiswould in-cludetheTermsofUsebutnotthepermissivecode). 288. One problemwe leave to futurework is the relationship between puttingstatementsinsidethecontractualstackandthetort-contractlineinlitigation. 289. Thus,werejecttheideathattheonlyoperativepromisesarethosewrittenincode.Cf.LawrenceLessig,CodeIsLaw:OnLibertyinCyberspace,HARV.MAG.,Jan.–Feb.2000, https://harvardmagazine.com/2000/01/code-is-law-html [https://perma.cc/59LX-BRU5](notingthatcodeimplementsvaluesandthatcodersdecidehowcyber-spaceregulates). 290. A Guest, An Open Letter, PASTEBIN (June 18, 2016), https://pastebin.com/CcGUBgDG[https://perma.cc/Y739-MR8R](claimingthatthefork“wouldamounttoseizureofmylegitimateandrightfulether,claimedlegallythroughthetermsofasmartcontract”). 291. In this context, perhaps all participants, including investors and program-mers,couldbeconsideredsimplypartners.SeeStephenPalley,HowtoSueaDecentral-ized Autonomous Organization, COINDESK (Mar. 20, 2016, 3:17 PM), http://www.coindesk.com/how-to-sue-a-decentralized-autonomous-organization[https://perma.cc/B8L6-M7RM] (“A DAO is an organization that’s self-governing and thatisn’tinfluencedbyoutsideforces....DAOsareformedbygroupsoflike-mindedindi-viduals....”).Inthatevent,agencylawwouldpresumablyaddcomplexitytotheinter-pretativedefaults.


abletobringanactionforbreachagainstitsdevelopers,oreven,per-haps,againsttheattackerifitsactionamountedtoparticipatinginthenexusofcontractsthatTheDAOhadproposed.292

C. RECAPITULATINGTHECANONS:QUOINEANDNON-PUBLICSCRIPTSWehaveconfinedouranalysistothedefinitionoftransactional

scriptsweofferedintheintroduction.Suchscriptspresentarelativelytractablesetofproblemsforcontractjurists.Becausethescriptsarepublic,andparticipantstypicallyareknowinglyparticipatinginaspe-cializedformofcommerce,thesortsofconcernswemighthaveaboutknowledge,opportunism,andblack-boxcontractsare,byandlarge,muted.293

Howtoapplythecanonswhenpartiesarenotsophisticatedandcannoteasilyparsethecodeatthemomentoftheexchange,presentsadistinctanddifficultsetofquestions.IntheQuoinecase,forexample,itisnotobviousthateithersidehadeasyaccesstoeachother’scode.Wherepartiescannotaccesscode,itcan’tcommunicatemeaning,nomatterhowwelldrafteditscommentary.Thus,itcan’tbepartofthestackthatcomprisedthegristforthebargain.

Butwhathappenswhennon-programmingpartiescanaccessthecodebutthereisnosocialexpectationthatitexpressestheintenttocontract:thatis,whatabout“smartcontracts”withtransparentcode,butinvolvingordinaryconsumerswhomightnotevenbeawarethattheir contract’s execution occurs automatically?When natural lan-guagepromisesconflictswithcodedrules,shouldwereadthemto-gether?OnepossibilityisthatCanon3,whichtreatsnaturallanguagedescribingandcommentingoncodeasonthesamelevelascontracttermsthemselves,mightneedrecalibration.Oritmightnot.Becauseordinarycontracttermsthemselvesaretypicallyunread,moreworkisnecessarytoconsiderwhichsortsofburiedtermscountinmakingbargains.Weleavetheseproblemstofutureresearch.

292. SeeSEC.&EXCH.COMM’N,EXCHANGEACTRELEASENO.81207,REPORTOFINVESTI-GATIONPURSUANTTOSECTION21(A)OFTHESECURITIESEXCHANGEACTOF1934:THEDAO1,7–8 (2017), https://www.sec.gov/litigation/investreport/34-81207.pdf [https://perma.cc/Q4HV-SZXE](suggestingthatDAOcuratorsfacedpotentialliability);seealsoHinkes,supranote279(arguingthatinvestorscouldpotentiallybringclaimsagainstotherinvestorsandDAOcurators). 293. SeeGregoryKlass,HowtoInterpretaVendingMachine:SmartsContractsandContractLaw(unpublishedmanuscript)(onfilewithauthor),foranin-depthdiscus-sionoftheseissues.


IV.THEFUTUREOFTHECONTRACTSTACKTo date, transactional scripts haven’t delivered revolutionary

changetoeithertheworldoroursmall,legal,cornerofit.Inthebigpicture,theecosystemismarginal:billionsofdollarsofinvestmentinatrillion-dollarworldeconomy.Andyettheintellectualfootingsofthescript project are expanding at an astounding rate. Everyday, newprojects(likeFacebook’sLibra,orJPMorgan’sfiatcoin)launchwithscripted roots, and the technical community gains experience andcompetencewitheachfailure.Wesimplyhavenoideawhatthefutureofcodedexchangewilllooklike.294

Therelationshipbetweenthisburgeoning,butstillhighlyspecu-lative, ecosystem and law are typically described as antagonistic.Thus,fornotedcommentatorNickSzabo,theprimaryvirtueof“smartcontracts” is that they ostensibly don’t need law. 295 For others,scripteddeals“willsubjecttheprovisionof justicetomarketforcesandbreakthestate’smonopolyoverthecourtsystem.”296Thisisanideologicalcalltoarmsagainstthecivilizingandconstrainingrolethatcontractjuristshavetraditionallyhadincommerciallife.

Ourapproachisdifferent.First,unlikesomeskeptics,whothinkthattransactionalscriptsaretoyswithnorealusecases,webelievethat they are a potentially valuable new contracting technology. Itmightbethatscriptswillreduceback-endtransactionalcostsbyre-ducingtheneedfortransactionallawyering.297Incertainsettings,the

294. SeegenerallyAllen,supranote33,at322(warningagainst tooheavilydis-countingthelikelihoodofsuccessfuldeploymentoflegalcontractsincode). 295. See, e.g., Nick Szabo (@NickSzabo4), TWITTER (Oct. 14, 2018, 5:51 PM),https://twitter.com/NickSzabo4/status/1051606530108190720[https://perma.cc/N5JY-YVED](“Worryingaboutwhetherasmartcontractis‘legallyenforceable’re-flectsaprofoundmisunderstanding.ThemainrelationofsmartKstotraditionalcourtsisthatsmartKscontrolburdenoflawsuit.”);seealsoCleanApp,Why’sSzaboAfraidof“SmartContract”Critiques?,MEDIUM(Oct.16,2018),https://medium.com/cryptolaw-review/whys-szabo-afraid-of-smart-contract-critiques-669ef9e63fc0 [https://perma.cc/75CG-5NA3](statementofNickSzabo)(“Thepartiescaniftheychoosewriteatra-ditionalKtobackstopasmartK,althoughinmanysituationswhereasmartcontractisusefultheexercisewouldbepointless....”). 296. Raskin,supranote27,at335. 297. SeeSklaroff,supranote19,at275–77(notingthattransactionalscriptscanreduceaccounting,duediligence,monitoring,andenforcementcosts);seealsoWer-bach&Cornell,supranote26,at322,348(notingtheabilityoftransactionalscriptstoautomaticallyverify,facilitate,andremedy).


benefitsfromcuttingenforcementcostswillbeworththecostsofup-front specification.298 By reducingmonitoring costs on themargin,transactionalscriptsmaymakeitmorelikelyforpartiestoenterintotheexchange.Similarly,inregimeswhereinstitutionaltrustisatana-dir and centralized trading repositories are unreliable, scripts canprovidesignificantvalue.299

Andyet,thisvaluewillhavenaturallimits,definedbyatradeoffbetween the value of trustless computing and the added costs im-posedbythecomplexitytax,whosescopewearethefirsttomakecon-crete.Mostsolutionstothecomplexitytaxrequireeithertheinterme-diation of third parties or consensus protocols running across asmallersetofvalidators.300Thus,atleastfornow,complexorganiza-tionalsolutionswillremainwithin“real”contracts,whileparticular,discrete,computableaspectscanbeputonpublicblockchains.Thisconclusion fitswellwith themost sophisticatedguidance currentlyavailable.301

Thefutureofscriptsisthusabouthybrids,wherecodeandnatu-ral language must work together. At the bottom, legal scholarshipaboutcomputablecontractssimplyhasn’tfullygrappledwiththeir-reduciblybuggynatureofcoding.Errorsincodedexchangewillresultintheparties’outcomesstubbornlyfailingtomatchtheirgoals.Inourview,thepersistenceoferror,andthehazardsofdeterminingintent,makes recourse to third-party decisionmakers inevitable. Transac-tionalscriptsarenot,andwillnotbe,self-executing,atleastnotallthetime.Atthatpoint,suchdecisionmakerswillbewell-advisedtolookattraditionalcontractprinciplestohelpresolvedisputes.

298. Cf.Sklaroff,supranote19,at283–84(“Agreementsthateffectivelyspecifyrel-evantcommercialcontextare...easiertoresolveonsummaryjudgement,reducingincentivestolitigate.”). 299. See generally EricTjongTjinTai,ForceMajeure andExcuses in Smart Con-tracts,26EUR.REV.PRIV.L.787,787(2018)(notingthatthemainadvantageofsmartcontractsisguaranteedperformanceduetotheabsenceofhumanandlegalinterven-tion). 300. Other partial solutions to the complexity tax involvemore exotic forms ofcryptographicproofs(suchasProof-of-Retrievabilityforstorage)thatcanreducere-dundancyandthuscosts.See,e.g.,AndrewMiller,AriJuels,ElaineShi,BryanParno&JonathanKatz,Permacoin:RepurposingBitcoinWorkforDataPreservation,2014IEEESYMP.ONSEC.&PRIV.(proposingamodificationtoBitcointhatrepurposesitsminingresourcestodistributestorageofarchivaldata).Theultimateefficacyandcommercialadoptionofsuchschemesremainsanopenquestion. 301. Cf. INT’L SWAPS&DERIVATIVESASS’N, supra note 204 (providing “high-levelguidanceonthe legaldocumentationandframeworkthatcurrentlygovernsderiva-tivestrading”).


Ourapproachwouldbringscriptswithinthetraditionalworldofcontractlawthroughaconstitutivelegalact:thecompilationofacon-tractstack.Thissolutionisnotmerelyusefulforthecurrentformoftransactionalscript.Ithasrelevanceforothersortsofdigitalandal-gorithmiccontracting,whethernowcontemplatedoryettobeimag-ined.Codecancommunicateexecutoryintenttocontractandcanthusbethegristforlegalanalysis.But,becauseitisimperfect,code-medi-ated transactionswilloften fail toachievewhat theirpromisors in-tend,evenastheyaresurroundedbycommunicationsin“real” lan-guages,intendedtobereliedonbyrealpeople.Insuchcases,lawwillconfront—andmustsurmount—twotemptations:ignoringthecodealtogetherasamereinstrumentofperformanceorenforcingitasanexculpatoryclausewrittenincipheredtext.

Weargueforanalternativeapproach,whichfirst,claimstransac-tionalcode,commentary,andlogsasapartofthecontractualstack,capableofexpressingmeaningabout theparties’ intent.We’vealsodefinedahierarchyofmeaningthatsituatesnaturallanguagedisclo-suresaboveartificialones.Thecanonswe’veproposed,builtonanin-formedunderstandingof thecodingecosystem,predictablyenforcetheparties’reasonable,publiclycommunicated,intent,andwillforbidopportunisticexploitationofsubtleerrorsincoding.Theseoughttobethelaw’sgoalsincompilingcontractsexecutedonblockchains,aswellaswhateverformsofcodedexchangesthefuturedeliverstous.

Transactional Scripts in Contract Stacks

Documents

Transcript of Transactional Scripts in Contract Stacks