Transactional Scripts in Contract Stacks
Transcript of Transactional Scripts in Contract Stacks
University of Minnesota Law School University of Minnesota Law School
Scholarship Repository Scholarship Repository
Minnesota Law Review
2020
Transactional Scripts in Contract Stacks Transactional Scripts in Contract Stacks
Shaanan Cohney Hoffman, David A.
Follow this and additional works at: https://scholarship.law.umn.edu/mlr
Part of the Law Commons
Recommended Citation Recommended Citation Cohney, Shaanan Hoffman, David A., "Transactional Scripts in Contract Stacks" (2020). Minnesota Law Review. 3226. https://scholarship.law.umn.edu/mlr/3226
This Article is brought to you for free and open access by the University of Minnesota Law School. It has been accepted for inclusion in Minnesota Law Review collection by an authorized administrator of the Scholarship Repository. For more information, please contact [email protected].
319
Article
TransactionalScriptsinContractStacks
ShaananCohney†andDavidA.Hoffman††
Introduction............................................................................................................320 I.DesigningExpensive,BuggyScripts........................................................328
A. How(Commercial)CodingWorks...............................................328 B. AnIntroductiontotheBlockchainPlatform............................331 C. EthereumandScripting....................................................................335 D. CodingonEthereum...........................................................................341 E. Summary.................................................................................................346
II.TransactionalScriptsintheRealWorld..............................................348 A. Tokens......................................................................................................348 B. Exchanges...............................................................................................351 C. Oracles......................................................................................................354
III.ScriptsandStacks.........................................................................................358 A. TheCanonicalStack............................................................................362 B. TensionsWithintheStack...............................................................368 C. RecapitulatingtheCanons:QuoineandNon-Public
Scripts.......................................................................................................385 IV.TheFutureoftheContractStack...........................................................386
† Ph.D., Postdoctoral ResearchAssociate, Center for InformationTechnologyPolicy,PrincetonUniversity.Copyright©2020byShaananCohney.
†† ProfessorofLaw,UniversityofPennsylvaniaLawSchool.WethankAlexanderAltieri andChrissyPak for researchassistance, andYonathanArbel,BridgetFahey,James Grimmelmann, Greg Klass, Raina Haque, Bob Hillman, Drew Hinkes, CathyHwang,GabeKaptchuk,MaxRaskin,ElizabethPollman,GabeShapiro,JeremySklaroff,TimSwanson,AndreaTosato,AlecWebley,KevinWerbach,TalZarsky,EyalZamir,andparticipantsatworkshopsatAlabama,Penn,andUtahforcomments.ThisworkwassupportedinpartbygrantsfromtheRippleResearchFundattheWhartonSchoolandatthePrincetonCenterforITPolicy.Copyright©2020byDavidA.Hoffman.
320 MINNESOTALAWREVIEW [105:319
INTRODUCTIONInearly2019,agroupofpeoplefoundedEdgeware,ablockchain-
based platformdesigned to host software development.1Edgewaremadepotentialusersadeal:iftheyagreedtotemporarilysequestersomecryptocurrency(essentially,placinganinitialinvestmentines-crow),they’dgaingovernancerightsovertheplatformatalaterdate.2Themechanismforthatinvestmentwasapieceofcarefully-auditedsoftware, called “Lockdrop,”whichwas deployed on a blockchain.3Lockdropseemedtoembodyandconstituteanovelcontractingtech-nology,writteninaprogramminglanguage(Solidity)thatdidn’tevenexistadecadeago.4
ByJulyof2019,investorscommittednearly$300,000,000totheprojectusingLockdrop.5Thensomeonelookedwithparticularcareatthefollowingpieceofcode:6
assert(address(lockAddr).balance==msg.value);Asitturnsout,thislinewassusceptibletoasoftwarehackthat
wouldhavepermanentlyimpoundedinvestorassets.7Luckily,theer-rorwasdiscoveredbeforeitcausedharm.But,asthecoderwhodis-coveredthevulnerabilityputit,“smartcontractsaresoftware.Evencarefullyaudited,well tested softwarewill (almostalways) containbugs.Therefore,anddespiteourbestefforts...Smartcontractswill
1. COMMONWEALTHLABS,EDGEWARE:ANADAPTIVESMART-CONTRACTBLOCKCHAIN1(2019)[hereinafterEDGEWAREWHITEPAPER],https://arena-attachments.s3.amazonaws.com/3850782/1928e31873075de95992d4987eb14a2e.pdf?1552432633[https://perma.cc/J3GP-ERC4]. 2. Seeid.at5(“EDGentitlesholdersbothstakingandvotingrights....”).Foranintroductiontocryptocurrencies,seeShaananCohney,DavidHoffman,JeremySklaroff&DavidWishnick,Coin-OperatedCapitalism,119COLUM.L.REV.591,603–05(2019).SeealsoDAVIDFOX&SARAHGREEN,CRYPTOCURRENCIESINPUBLICANDPRIVATELAW(2019). 3. Certificate of Smart ContractAudit for Edge-Lockdrop,QUANTSTAMP (Apr. 8,2019), https://arena-attachments.s3.amazonaws.com/4282493/a155dc84aa1dfba4cfd3dc6be1e1ebdc.pdf?1557965252[https://perma.cc/UPC5-ZUPT]. 4. Id.(notingthatLockdropusedSolidityprogramminglanguage). 5. NeilMcLaren,Gridlock(ASmartContractBug),MEDIUM(July1,2019),https://medium.com/@nmcl/gridlock-a-smart-contract-bug-73b8310608a9 [https://perma.cc/V2G2-WT9L](“Edgeware’sLockdropsmartcontracthasprocessedover$900mil-lionofETHandlockedupover$290million.”). 6. Id. 7. Iftheattackerdesignatedcryptocurrencytothenextlockaddress,thetotalbalancewouldexceed theamount sentbyLockdrop, causing the check to fail.Thiswouldfreezethesequesteringprocesspermanentlyinplace.
2020] TRANSACTIONALSCRIPTS 321
(almostalways)containbugs!”8Thequestionweaskinthispaperissimple:cancontract lawmakesenseof intractablebugs in transac-tionalcode?Theanswerislikewisesimple:yes.
Buttotheirpromoters,evenbuggy“smartcontracts”likeLock-droparethevanguardofarevolution,heraldinganageinwhichcodewilldeposebothcontracttheoryandpractice.9Enthusiastsarguethatwhen contracts are embodied and performed by code, contractingcosts(likenegotiation,monitoring,andperformance)willfall.Betterstill,partieswon’tneedtotrusteachother,orcourts,tobeassuredthatthey’llgetwhattheybargainedfor.Theresult:“smartcontracts”areofferedasapotentialsolutiontoanastoundingvarietyofbusinessandsocialproblems.Theymaytransforminsurance,10financialderiv-atives,11consumerprotection,12corporategovernance,13tax filing,14voting, 15 supply chain management, 16 bankruptcy, 17 property
8. McLaren,supranote5. 9. Cf.PrimaveraDeFilippi&SamerHassan,BlockchainTechnologyasaRegula-toryTechnology:FromCodeIsLawtoLawIsCode,FIRSTMONDAY(Dec.5,2016),https://firstmonday.org/ojs/index.php/fm/article/view/7113/5657[https://perma.cc/2PX9-8C4K] (“Whatmakes theblockchaindifferent fromother technologies is thatsmartcontractsareactuallymeanttoreplacelegalcontracts.”);MarkVerstraete,TheStakesofSmartContracts,50LOY.U.CHI.L.J.743,743(2019)(“Themostardentsup-portersofsmartcontracts...claimthatsmartcontractsmightreplacelargeswathsofthetraditionalcontractsystem.”). 10. SmartContracts:10UseCasesforBusiness,AMBISAFE,https://ambisafe.com/blog/smart-contracts-10-use-cases-business[https://perma.cc/S9WA-FHMM]. 11. SeegenerallyINT’LSWAPS&DERIVATIVESASS’N,LEGALGUIDELINESFORSMARTDE-RIVATIVES CONTRACTS: INTRODUCTION (2019), https://www.isda.org/a/MhgME/Legal-Guidelines-for-Smart-Derivatives-Contracts-Introduction.pdf[https://perma.cc/N5XN-J5KQ]. 12. See generally Joshua Fairfield,Smart Contracts, Bitcoin Bots, and ConsumerProtection,71WASH.&LEEL.REV.ONLINE35(2014). 13. FiammettaS.Piazza,BitcoinandtheBlockchainasPossibleCorporateGovern-anceTools:StrengthsandWeaknesses,5PA.ST.J.L.&INT’LAFFS.262,282–86(2017). 14. ValentineP.Vishnevsky&ViktoriiaD.Chekina,Robotvs.TaxInspectororHowtheFourthIndustrialRevolutionWillChangetheTaxSystem:AReviewofProblemsandSolutions,4J.TAXREFORM6,20(2018). 15. SeeTsuiS.Ng,BlockchainandBeyond:SmartContracts,A.B.A.BUS.L.TODAY(Sept.28,2017),https://www.americanbar.org/groups/business_law/publications/blt/2017/09/09_ng [https://perma.cc/MD66-A7V4] (“Governmentsmay use smartcontractstomanage...e-voting.”). 16. SeegenerallyHorstTreiblmaier,TheImpactoftheBlockchainontheSupplyChain: A Theory-Based Research Framework and a Call for Action, 23 SUPPLYCHAINMGMT.INT’LJ.545(2018). 17. SeegenerallyAlanRosenberg,AutomaticContractsandtheAutomaticStay:APrimeron“SmartContracts”inBankruptcy,38AM.BANKR.INST.J.18(2019).
322 MINNESOTALAWREVIEW [105:319
rights,18andrepossessionthroughtheinternetofthings.19Butthere’smore.Jurisprudence—inthesenseofthefundamentalutilityofcon-tractdoctrine—isonthechoppingblock.20Formany,smartcontractsarethefirsttransformativelegalinnovationofthemillennium.21
Perhaps inevitably, “smart contracts,” a term that connotesmoney, computers, andmodernity, has invited a stampede of com-mentatorstospeculateaboutawidevarietyofpossiblecontractingtechnologies.22Manymarvelattheinnovationassomekindofutopiansimulacra: 23 an immutable, 24 transparent exchange, 25 occurring
18. See,e.g.,MichaelCasey,CouldBlockchainTechnologyHelptheWorld’sPoor?,WORLDECON.F.AGENDA(Mar.9,2016),https://www.weforum.org/agenda/2016/03/could-blockchain-technology-help-the-worlds-poor[https://perma.cc/4U9N-4S2F]. 19. Forthecanonicaldescription,seeJeremyM.Sklaroff,Comment,SmartCon-tractsandtheCostofInflexibility,166U.PA.L.REV.263,271–78(2017). 20. Fora lucidreview,seegenerallyMarcoDell’Erba,DemystifyingTechnology:DoSmartContractsRequireaNewLegalFramework?RegulatoryFragmentation,Self-Regulation,PublicRegulation,U.PA.J.L.&PUB.AFFS.(forthcoming2020),https://pa-pers.ssrn.com/sol3/papers.cfm?abstract_id=3228445[https://perma.cc./48NP-CWX7]. 21. See,e.g.,AlexanderSavelyev,ContractLaw2.0:“Smart”ContractsastheBegin-ningoftheEndofClassicContractLaw,26INFO.&COMMC’NTECH.L.116(2017);seealsoWhatisEthereum?,ETHERSCRIPTER,https://etherscripter.com/what_is_ethereum.html[https://perma.cc/LV8P-6BJD] (describing popular smart contract Ethereum as “anewkindoflaw”thatcanbe“perfectlyobservedandenforced”). 22. Thefishrotsfromthehead.SeeNICKSZABO,SMARTCONTRACTS:BUILDINGBLOCKSFOR DIGITAL MARKETS 1 (1996), http://www.truevaluemetrics.org/DBpdfs/Block-Chain/Nick-Szabo-Smart-Contracts-Building-Blocks-for-Digital-Markets-1996-14591.pdf [https://perma.cc/6BAR-V45A](definingsmartcontractsas“asetofpromises,specifiedindigitalform,includingprotocolswithinwhichthepartiesperformonthesepromises”).Inrecentyears,Szabohasvociferouslydefendedtheterm.See,e.g.,NickSzabo (@NickSzabo4), TWITTER (Oct. 14, 2018, 6:38 PM), https://twitter.com/NickSzabo4/status/1051603179526270976[https://perma.cc/5HC7-D95Z](“‘Smartcontract’isaveryusefulconcept&phrase.‘Smart’asin‘smartphone’(shorthandforcomputerizedphone),‘contract’meaningitdoessomeimportantthingswepreviouslyreliedoncontractstodoforourdeals,especiallycontrollingassets&incentivizingper-formance.”). 23. FrankPasquale,ARuleofPersons,NotMachines:TheLimitsofLegalAutoma-tion,87GEO.WASH.L.REV.1,24–25(2019). 24. JeffreyM.Lipshaw,ThePersistenceof“Dumb”Contracts,2STAN.J.BLOCKCHAINL.&POL’Y1,24(2019)(statingthatthekeycharacteristicsofsmartcontracts,“inad-ditiontoconsensus,includeimmutabilityandfinalityfromthetimetheyarecreatedandgoingforward”). 25. AdamJ.Kolber,Not-So-SmartBlockchainContractsandArtificialResponsibil-ity,21STAN.TECH.L.REV.198,208(2018)(“SinceEthereumsmartcontractsconsistofparticularcomputercodeonadecentralizedblockchain,itiseasytoverifyprogramexecution.”).
2020] TRANSACTIONALSCRIPTS 323
through“consensus,”thatis“self-executing”26or“automated.”27Withthatcapaciousdefinitioninmind,isthechipinyourVisaCardpartofasmartcontractnetwork?ThecodecomprisingtheVenmoApp?YourMetrocard?28Ifwecan’tunderstand thescopeof thisphenomenon,howcanwefairlyevaluatetheriskitposes,orthebenefitsitpromises,toourcommercialandsociallife?
Smartcontracts’flabbymeaningisnotthisArticle’sprecisetar-get.29Ratherweofferafocuseddescriptionofthemostcelebratedas-pectoftheunderlyingtechnologyanditsrelationshiptolegalorder.We’ll startby introducing anew term thatwe think captureswhatmostpeopleinthisfieldthinkofwhentheyconsider“smartcontracts”as theyarecurrentlydeployed.Wenameanddescribe the transac-tional script.30Here is a parsimonious definition (thatwe’ll unpacklater):31
Atransactionalscriptisapersistentpieceofsoftwareresidingonapublicblockchain.Whenexecutedasapartofanexchange,thecodeeffectuatesaconsensuschangetothestateofaledger.
26. ProfessorsKevinWerbachandNicolasCornellarguethatsmartcontractsaredistinctivebecause“juridicalforumsarepowerlesstostoptheexecutionofsmartcon-tracts—there isno room tobringanaction forbreachwhenbreach is impossible.”KevinWerbach&NicolasCornell,ContractsExMachina,67DUKEL.J.313,332(2017);seealsoAmy J. Schmitz&ColinRule,OnlineDisputeResolution for SmartContracts,2019J.DISP.RESOL.103,106,107,113(describingsmartcontractsas“self-enforcing,”“self-governing,”andwith“noambiguityaroundtheparties’obligations”). 27. ChristopherD. Clack,VikramA. Bakshi& LeeBraine, Smart Contract Tem-plates:Foundations,DesignLandscapeandResearchDirections2(Mar.15,2017)(un-publishedmanuscript),ARXIV:1608.00771;seealsoMaxRaskin,TheLawandLegalityofSmartContracts,1GEO.L.TECH.REV.305,309(2017)(“Asmartcontractisanagree-mentwhoseexecutionisautomated.”). 28. SeeKolber,supranote25. 29. Cf. Ed Felten, Smart Contracts: Neither Smart nor Contracts?, FREEDOM TOTINKER(Feb.20,2017),https://freedom-to-tinker.com/2017/02/20/smart-contracts-neither-smart-not-contracts[https://perma.cc/NZ2Q-GFHE]. 30. Foradefinitionofsmartcontractsthattrackswithourtransactionalscript,see Carla L. Reyes, If RockefellerWere a Coder, 87 GEO.WASH.L.REV. 373, 383–84(2019),whichstatesthat:
Theterm“smartcontract”referstodecentralizedcomputercodethatrunsonaDLTprotocolandmanifestssomecombinationofthefollowingcharac-teristics:exertssomecontroloverassetsdigitallyrecordedonaDLTproto-col,takessomeactionuponreceiptofspecifieddata,isoften,butnotalways,partofaDLT-basedapplication,guaranteesexecution,andwritestheresult-ing state change from the operation of the smart contract into the DLT’sledger.
31. Cf.PeterG.L.Hunn,SmartContractsasTechno-LegalRegulation,7J.ICTSTAND-ARDIZATION269,275(2019)(focusingon“adeterministicstatemachine”anda“con-sensusprotocol”thatprovidesagreement“onthesamesequenceofoperations”).
324 MINNESOTALAWREVIEW [105:319
Westressthatourfocus—forthemoment—isnarrowerthanalldigitizedexchanges,32orevenalldealsaccomplishedthroughblock-chain-styleledgers.33Thatis,transactionalscriptssitatthecoreoftherapidlyexpandinggroupofthingscalled“smartcontracts,”butdonotencompass the whole field. Crucially, transactional scripts are ex-changesthatoperateinpublic—indeed,theyarevaluableinlargepartbecausetheirresolutionmustbeagreedtobymultipledifferententi-ties,jointlyoperatingonanoperatingsystemwithfixedandtranslu-centrules.
Transactionalscriptsareastrikinglegalinnovationandmuchofthecurrentinterestinsmartcontractsinfactregardsthem.34Butlaw(andlawyers’)roleinthecreationandexecutionofscriptsisunclear.Even apart from the performative techno-libertarian claims aboutlaw’sabnegation,manyscriptingprojectsaremissingmanyoftheac-coutrements of transactional law. More plainly put, currently de-ployedtransactionalscripts—thosethatareexposingrealpeopletofinancialandpersonalrisks—oftenrelyonthecodealoneastheirpri-maryrisk-allocationmechanism.Andthecodeerrs.
IntheEdgewareproject,noneofthegovernancepromiseswereexpressed in a natural language “contract” as we understand thatterm,eveninthedigitalsphere,as inaclick-wrapagreement.Theyexistedratherina“whitepaper”—aself-publisheddocumentwithno
32. Foratremendoussurveyofdigitizedexchanges,seeHarrySurden,Computa-bleContracts,46U.C.DAVISL.REV.629(2012).Surdendiscusses“autonomouscomput-ablecontracting”onlybriefly.Id.at694–95. 33. The reader would benefit from reading the following excellent works onscripts (broadly defined): Sklaroff, supra note 19; J.G. Allen,Wrapped and Stacked:“SmartContracts”andthe InteractionofNaturalandFormalLanguage,14EUR.REV.CONT.L.307(2018);Werbach&Cornell,supranote26;KarenE.C.Levy,Book-Smart,NotStreet-Smart:Blockchain-BasedSmartContractsandtheSocialWorkingsofLaw,3ENGAGINGSCI.TECH.&SOC’Y1(2017);JamesGrimmelmann,AllSmartContractsAreAm-biguous,2 J.L.&INNOVATION1 (2019);PRIMAVERADEFILIPPI&AARONWRIGHT,BLOCK-CHAINANDTHELAW:THERULEOFCODE(2018);JonathanRohr,SmartContractsinTradi-tionalContractLaw,or:TheLawoftheVendingMachine,67CLEV.ST.L.REV.67(2019);EdmundSchuster,CloudCryptoLand,MOD.L.REV.(forthcoming2020)(manuscriptat23–25),https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3476678[http://perma.cc/YAY3-TA63]. 34. SeeGlobalSmartContractsMarket,MKT.RSCH.FUTURE,https://www.market-researchfuture.com/reports/smart-contracts-market-4588[https://perma.cc/F3DN-L98D](“Theglobalsmartcontractsmarket isexpected toreachapproximately300USDMillionbytheendof2023....”);cf.VentureCapitalFirmsGoDeepandWidewithBlockchain Investments, DIAR (Oct. 1, 2018), https://diar.co/volume-2-issue-39[https://perma.cc/V6Q2-ZLVR](“[I]njust...threequartersof2018,blockchainandcrypto companies have raised nearly 3.9Bn through traditional VC—280% more[than]lastyear....”).
2020] TRANSACTIONALSCRIPTS 325
standardformanduntestedlegaleffect.35Thatwhitepaperstatesthatuserswillreceive“[d]ownsideprotection”inthecaseofa“maliciousattack or exploit,” anddescribes the lockdrop contract as a failsafetechnique.36Moreover,thepromoterssuggestthatitwouldbeimpos-sible to falsely claim ownership for an address.37 Needless to say,theserepresentationsdonotmatchtherealityofwhatthebuggycodedelivered.But,equallyobviously,sincethecodewaspublic,itslatenterrors were also theoretically knowable, at least to sophisticatedcounterparties.
Otherexamplesofcodingerrorsandoversightsabound—includ-ingthenowinfamousDAOhack,whichwewilldiscusslater.38Inmanycases,thelosersofcodingerrorshavepaidoffthewinnerstoundotransactions.39Suchsettlementsoccurintheveryindistinctshadowoflaw:thereisn’tabodyofcasesthatdirectlyaddressthequestionofwhathappenswhentransactionalscriptsgowrong.40Theacademicliteraturetoohaslargelydownplayedtheroleandcapabilitiesoflawinresolvingtransactionalscriptsgonewrong.41
Eventhemostsophisticatedtreatmentsintheliteraturelargelyfocus on what happens when scripts accomplish their promisedaims.42Somearguethatthetechnologyissimplyincapableofthesorts
35. EDGEWAREWHITEPAPER,supranote1,at9–15. 36. Id.at6–7. 37. Id.at11–12(“Uponinspection[ofthetransactionhash],averifiershouldhaveenoughproofthatiftheownerofthe...accountdidnotalsoowntherecipientEdge-wareaccount(representedasthetargetaddress...),thentheywouldnotissuesuchatransaction.”). 38. Seeinfratextaccompanyingnotes276–79. 39. The literaturehasnoted thatoften firmspricebugbounties too lowwhencomparedwiththeirafter-market(andillegitimate)use.LorenzBreidenbach,PhilipDaian,FlorianTramer&AriJuels,EntertheHydra:TowardsPrincipledBugBountiesandExploit-ResistantSmartContracts,27PROC.USENIXSEC.SYMP.1335,1335(2018).It isdifficulttoknowhowcommonself-helpis intheworldoftransactionalscripts.Victimshavelittleincentivetopublicizetheirfailuretowritebettercode,whilesuc-cessfulattackersmaywishtoavoidpublicrenown(ifnotthetaxauthorities). 40. See, e.g., LaurenHenryScholz,AlgorithmicContracts, 20STAN.TECH.L.REV.128,141(2017)(discussingtheapplicationofcontractandagencylawtoalgorithmiccontractsandnotinglackofcaselaw). 41. Cf.Dell’Erba,supranote20(manuscriptat21)(“Itcouldbethattheremaybeabuginthecodeorthatthepartiesmayreconsiderwhattheywant.”). 42. CompareWerbach&Cornell, supranote26,at350–64(thingsgoingwell),withid.at365–67(notaswell).
326 MINNESOTALAWREVIEW [105:319
oferrorthatlawcaresabout:the“[c]odetypicallyentailsnoambigu-ity,andnovariantinterpretationispossible.”43Otherslamentthatbe-causetheblockchaincodeisself-contained,itcontainsnoplacewithinitfor“defaultlaw”toexist.44Worse,evenifthereareplacesforlaw’stoolstohavepurchase,jurists“maynotbeabletohypothesizearea-sonablehuman’sinterpretationofagivensmartcontract.”45
Suchhandwavingisanunwarranted,andultimatelyunworkable,surrenderofthelaw’sroleinadjudicatingdisputes.Codethatembod-ies commercially-significant scriptswill inevitably containambigui-ties,anddisappointedpartieswillaskjudgestoadjudicatetheirrights.Atthebasiclevel,asJamesGrimmelmannhasrecentlyobserved,the“meaningofanyspecificprogramrestsonafoundationofsomeprioragreementabouthowtointerpretsomelargerclassofprograms.”46Heconcludesthatwhiletheremaybefewersuperficialexamplesofinterpretativegapsinformalcode,“whenthebottomdropsout,itcanreallydropout.”47It’sthenthatlawwillbeaskedtostepinandpro-viderationalandpredictablesolutions,whichwillalmostcertainlybedevelopedbyanalogytooff-chainexchanges.
Butanalogiescandeceive.Whereasscholarsandjuristswhocon-frontquestionsaboutordinarywrittencontractshaveadeepworkingknowledgeofhowsuchexchangesfunction,transactionalscriptsarefunctionallyinnovativeandthelegalcommunityhasyettocoalescearoundevenabasicunderstandingofwhattheyare, letalonewhattheydo.What’sneeded,then,isaworkingknowledgeofthewaysinwhichthevocabularyandfunctioningofthecodeitselfcancreatedis-connects between the intent of the humans coding transactionalscripts and the code’s function.48Describing the plumbing of thesephenomenaisthefirstcontributionofthisArticle,andoccupiesPartI.Wemaketwofundamentalobservations.
43. WulfA.Kaal&CraigCalcaterra,CryptoTransactionDisputeResolution,73BUS.LAW.109,136n.94(2017–2018). 44. UshaR.Rodrigues,LawandtheBlockchain,104IOWAL.REV.679,682(2019)(“Becausethesmart‘contract’iscodealone,thereisnogap,inthesenseofanentrypoint,forthelawtostepintofill.”). 45. Kaal&Calcaterra,supranote43,at136;Schmitz&Rule,supranote26,at103(“Thosewith no coding background cannot easily interpret a smart contract in itsrawestform.”). 46. Grimmelmann,supranote33,at12. 47. Id.at20(“Therelevantcommunitycanredefinetheprogramminglanguageinawaythatradicallyaltersthemeaningofprogramswritteninit.”). 48. Ontheproblemscausedbyblockchainjargon,seeAngelaWalch,Blockchain’sTreacherousVocabulary:OneMoreChallengeforRegulators,J.INTERNETL.,Aug.2017,at1.
2020] TRANSACTIONALSCRIPTS 327
First,thesoftwarelanguagedevelopmentenvironmentofalmostallextant transactionalscriptshas features (andentailsuncommonpractices)whichmakecodingerrors,andgapsbetweencoders’intentandexpression,bothlikelytooccuranddifficulttoresolve.49Second,the dominant platform for scripts—Ethereum—assesses a tax oncomplexprograms.Thisfeemakestransactionalscriptsunsuitedformanyknottycontractingproblems,unlesstheirdraftersmakepartsofthecodenon-public,thusstrippingscriptsofmuchofwhatmakesthemanelegantsolutiontoproblemsoftrustinexchange.
Withabettergraspofhowscriptsoperate,PartIIusescaseex-amples to argue—contrary to the dominant account—that thesescripts fail inwaysthatare legibletotraditionalcontractual frame-works.Putsimply,theyfailtoaccomplishtheirparties’intent.Thoseexamplesstartwith“tokens”issuedin“initialcoinofferings,”continuewithdecentralizedexchanges,andfinallyconsiderso-called“oracles.”Wedescribeboththecodedandnaturallanguagepromisesaccompa-nying theseprojects.Eachsuchcategoryof transactional scripthasbeen touted as a revolutionary financial innovation. Each, as we’llshow,havealreadyproducederrorswithreallegalconsequences.
InPartIII,weaskhowlawoughttorespondtothesortsofprob-lemsoccasionedbysuchsystematicfailuresoftransactionalscripts.We argue that the layering of transactional script and natural lan-guagepromiseisbestunderstoodasproducingacontractstack.Con-tractstacksareinevitablewhenpartiescometogethertoaccomplishcommercialends,eveniftheytrytheirhardesttomakethecodethefinal answer to all their problems. Collecting the meager extantcaselaw,anddeployingoldfashionedrulesofinterpretation,weofferanovelframeworkthroughwhichcourtsoughttocompilesuchstacksandthusmakesenseofthesenewformsofcommercialexchange.
Theframeworkweoffer,thoughfocusedonthescriptedecosys-temofthemoment,hasgeneralapplication.Futureiterationsofdigit-ized transactions,whetherusingblockchainor other formsof soft-ware, will require courts to make sense of gaps between naturallanguage promises and coded executions. Our approach brings oldprinciplesofcommonlawtobearontheproblemsthatthenextgen-erationofcontractpractitionersandacademicswillface.
49. SeeElaineOu,BlockchainIsLitteredwith‘Smart’ContractsGoneBad:Opinion,INS. J. (Nov. 16, 2017), https://www.insurancejournal.com/news/international/2017/11/16/471387.htm[https://perma.cc/P5MF-67N3].
328 MINNESOTALAWREVIEW [105:319
I.DESIGNINGEXPENSIVE,BUGGYSCRIPTSWebeginwithapreciseaccountofthecreationandfunctionof
transactionalscripts.Totheextentthatthediscussionrequiresstrug-glingwithnewjargon,ourpetardhasbeenwell-hoisted.50Ourgoalisnotmerelytodemystifythistechnology,butalsotheworldandsocialpracticesofcoderswhoseworkincreasinglymatterstolawandtrans-actionalpractice.Wemaketwoprimarycontributions.First,wetrytoexplainwhycodeisintrinsicallybuggy.Second,weoffersomereasonsto be skeptical about scripts’ innate ability to simultaneously solveproblemsoftrust,complexityandautomationofdeals.
We startwith the functional questionofhowcoders go abouttheirwork.
A. HOW(COMMERCIAL)CODINGWORKSTheprocessoftakingaprogrammer’sintentfromcodetoexecu-
tioninvolvesmultiplesteps,eachofwhichcananddoesintroduceer-ror.Justaswhenlawfirmsdraftcontracts,programmingprogressesin pieces and through teams. 51 Programming teams typically startwithahuman-drivengoal.Theythenchoosealanguageinwhichtocode.Typically,coderswillchooseahigh-levellanguagethatabstractsawaythedetailsofthemachine’shardwareandallowsprogramminginsyntaxclosertonaturallanguage.
Transactional scripts are commonly coded in Solidity, the lan-guageconceivedalongsideof,andforuseon,Ethereum,theplatformonwhichmostscriptsoperate.52Itissyntacticallysimilartothepop-ular,web-developmentlanguage,Javascriptandthuslooksfamiliartomanynon-smart-contractcoders.Tocreateatransactionalscript inSolidity,acodercreatesatextfilewithcontentsthatconformtothepubliclyavailablespecificationoftheSoliditylanguage,andthatcap-tureinprogrammaticformthedesigngoal.53
50. Cf.ELIZABETHMERTZ,THELANGUAGEOFLAWSCHOOL:LEARNINGTO“THINKLIKEALAWYER”(2007)(providingtheclassictextonhowlawstudentsaretaughttothinkandargueindistinctiveways). 51. On“flexiblestandardization”andtheproductionofcontractsinlawfirms,seeMatthewJennejohn,TheArchitectureofContractInnovation,59B.C.L.REV.71(2018). 52. Foragoodoverviewof thecodingecosystem, seeRainaS.Haque,RodrigoSeiraSilva-Herzog,BrentA.Plummer&NelsonM.Rosario,BlockchainDevelopmentandFiduciaryDuty,2STAN.J.BLOCKCHAINL.&POL’Y1,16–17(2019). 53. Formoreontheprocessofopensourcedevelopmentinblockchaingenerally,seeAngelaWalch,Open-SourceOperationalRisk:ShouldPublicBlockchainsServeasFi-nancialMarketInfrastructures?,in2HANDBOOKOFBLOCKCHAIN,DIGITALFINANCE,ANDIN-CLUSION252–54(DavidLeeKuoChuen&RobertDengeds.,2017).
2020] TRANSACTIONALSCRIPTS 329
Liketraditionalcontractdrafters,transactionalscriptdevelopersfreely use boilerplate. A significant fraction of code in open sourcesoftwareprojects iscopied.54Thispractice isalsoprominentwithinthetransactionalscriptsworld,withonestudyfindingin95%ofim-plementations thatperformedacommonfunction,codershadusedidentical syntax.55Reusingor retrofitting code fornewends servesmultiplepurposesfordevelopers.Reusedecreasesdevelopmenttimeandmayprovide ready-made, secure, and compatible solutions fordifficultcodingproblems.Codereusecanalsocauseproblems,makingdevelopers reliant on code they may not understand, propagatingbugs,andincreasingdevelopmenttimewherereusedcodeisdifficulttounderstandoradapt.56
Knittingtogetherthesepiecesofboilerplatewithbespokecodeisan iterativeprocess,andprogramsarecreatedacrossmultipleses-sionsconsistingofcodingandtesting.Tokeeptrackofchanges,andthecontributionsofmanyindividuals,57softwareprojectsuseversioncontrolsystemsthatthemselvescapturealogofeachchange.58Toaddachangetoaversioncontrolsystem,codersaretypicallyrequiredtoexplicitlyidentifythechange/stheywishtoadd,describeitina“com-mitmessage”andsendittoaserverthattracksthefullsetofchangesacrossusers.59
54. Developersreportameanthirtypercentoffunctionalityisderivedfromre-usedcode.SeeManuelSojer& JoachimHenkel,CodeReuse inOpenSourceSoftwareDevelopment:QuantitativeEvidence,Drivers,andImpediments,11J.ASS’NFORINFO.SYS.868,869(2010). 55. SeeYiZhou,DeepakKumar,SuryaBakshi,JoshuaMason,AndrewMiller&Mi-chaelBailey,Erays:ReverseEngineeringEthereum’sOpaqueSmartContracts,27PROC.USENIX SEC. SYMP. 1371, 1371 (2018), https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-zhou.pdf[https://perma.cc/GJ94-S6F8]. 56. EthereumSmartContractBestPractices,GITHUB,https://consensys.github.io/smart-contract-best-practices/general_philosophy[https://perma.cc/NS6T-MQ34](“Asmartcontractsystemfromasoftwareengineeringperspectivewishestomaxim-izereusewherereasonable.”). 57. Programmerswillsometimespairprogram:areviewerassesseseachlineofcodeastheprimaryprogrammeristyping.Thereviewersuggestschanges,spotser-rorsandoftendrivesthestrategicdirectionofthecode.See,e.g.,LaurieWilliams,Rob-ertR.Kessler,WardCunningham&RonJeffries,StrengtheningtheCaseforPairPro-gramming,IEEESOFTWARE,July/August2000,at19. 58. Distributedversioncontrolsystemshavemuchincommonwithblockchains.Theyrecordsequencesofchangestoacommon,replicatedrecordusingachainedhashstructurethattiestogethereachnewchangewiththecompletepasthistory.Theydonotsolveconsensusproblems,relyingonindividualstodeterminetheoutcomeofcon-flicts. 59. Whiledecentralizedversioncontrolsystems(DVCS)suchasgitcanintheoryoperatewithoutacentralizedserver,theconvenienceofahostthatisalwaysonline
330 MINNESOTALAWREVIEW [105:319
Figure1:AwellwrittencommitmessagefromtheBitcoincorerepos-itoryexplainingthechangesmadeandthereasoningbehindthem.60 Whenaddedtothesystem,thesetofchangesistermeda“com-mit.”Thecommitloggeneratedbyaversioncontrolsystemthuscon-tainsevidenceofthedraftingprocess,bothincodeandhumanreada-bleform.Thelogandcodeareavailabletoalldevelopersonaprojectandmaysometimesbestoredonapubliclyaccessibleserver.
Largefirmsenforcedisciplineoverthiscommitlogsystem:com-mitmessagesmustcapturetheintentandeffectofachange.Insmallerdevelopment outfits, programmers often fail to includemeaningfulcommitmessagesandthelogmaythuspoorlycaptureintent.61
Anotherprominentpracticecommontowell-disciplineddevel-opment teams iscode review.Beforea serveror teamwill acceptacommit,itpassesthroughhumanreview.Thereviewisperformedbyotherteammembers,whocommentonaplatformintegratedwiththe
andauthoritativeensuresthatmostdeploymentsusesuchaserver.Commoncommer-cialserviceprovidersoftheseserversincludeGithub,Gitlab,andBitbucket. 60. https://github.com/bitcoin/bitcoin/commit/eb0b56b19017ab5c16c745e6da39c53126924ed6.patch[https://perma.cc/UL38-WEK3]. 61. Shortformcommitmessagescanrangefromtheinsightful,“Simplifyserializeh’sexceptionhandling,”tothebanal,“fuckfuckholyshitfuckIthinkIfinallyfixedmyshittygitfuck.”ChrisBeams,HowtoWriteaGitCommitMessage,INCEPTIONINNOVATION,https://inceptioninnovation.com/blog/tutorial-5/post/how-to-write-a-git-commit-message-14[https://perma.cc/3Z9G-CPFV];RamiroGómez,ExploringExpressionsofEmotions inGitHubCommitMessages,GEEKSTA(May10,2012),https://geeksta.net/geeklog/exploring-expressions-emotions-github-commit-messages/ [https://perma.cc/NT3D-UPGT].
commit eb0b56b19017ab5c16c745e6da39c53126924ed6 Author: Pieter Wuille <[email protected]> Date: Fri Aug 1 22:57:55 2014 +0200 Simplify serialize.h's exception handling Remove the 'state' and 'exceptmask' from serialize.h's stream implementations, as well as related methods. As exceptmask always included 'failbit', and setstate was always called with bits = failbit, all it did was immediately raise an exception. Get rid of those variables, and replace the setstate with direct exception throwing (which also removes some dead code). As a result, good() is never reached after a failure (there are only 2 calls, one of which is in tests), and can just be replaced by !eof(). fail(), clear(n) and exceptions() are just never called. Delete them.
2020] TRANSACTIONALSCRIPTS 331
versioncontrolsystem.Thereviewersassessallelementsofthecom-mit—themessage, thequalityof thecode implementingthechangeand the intentof thechange—andeitheraccept, reject,orsend thecommitbackforfurtherreview.
Onceaprogramisreadytobetested,itmustbeconvertedfromthe high-level language tomachine instructions. The conversion isdonethroughtheaidofacompiler,asecondaryprogramdevelopedforthisexpresspurpose.62Compilers,assoftwarethemselves,areim-perfect.Rarely,theycontainbugsthatcauseamistranslationfromthehigh-levellanguagetothetargetlanguage,furtherobscuringthelinkbetween programmer intent and program. Theymight also be de-signedmaliciouslyornegligently.63
However,ifallgoeswell,theoutputfromthecompilingprocessisbytecode,alow-levelrepresentationofthehigh-levelprogramthatthecomputer canexecutemoredirectly.Toprovidesomeconcretedetail,wenowturntotheblockchainplatformsofinterest.
B. ANINTRODUCTIONTOTHEBLOCKCHAINPLATFORMBlockchains are already the subject of a large legal literature.
Here,wesketchonlythebroadeststrokes.Essentially,theyareplat-formsfordistributeddataprocessingthatcreateincentivesforuserstoagreeon,andstore,outcomesofcomputation.64Ablockchaingen-erally consists of two components: storage structures that track
62. Therearetwoprimarywaysprogramsareexecuted:directlyorthroughaninterpreter.Directly executedprogramsundergomultiple translation (compilation)stepstakingtheprogramfromhuman-readablesourcecode,toless-humanreadableassembly code, tomachine readable instructions. See Introduction to ProgrammingLanguages/Compiled Programs, WIKIBOOKS (Sept. 29, 2019, 12:45 AM), https://en.wikibooks.org/w/index.php?title=Introduction_to_Programming_Languages/Compiled_Programs&oldid=3581047 [https://perma.cc/RLC4-9QYN]. Interpretedprogramsgenerallyundergoapreliminaryformofcompilationbutarenotthemselvesconvertedintomachineinstructions.Rather,aninterpreterexecutesthepreliminaryformbyasetofrulesactingonavirtualmachine.SeeIntroductiontoProgrammingLanguages/Interpreted Programs, WIKIBOOKS (Sept. 27, 2017, 6:49 PM), https://en.wikibooks.org/w/index.php?title=Introduction_to_Programming_Languages/Interpreted_Programs&oldid=3304944[https://perma.cc/4UBZ-FZRZ]. 63. SeeKenThompson,ReflectionsonTrustingTrust,TuringAwardLecture,27COMMC’NSACM761(1984).Soliditycompilers,withtheirrelativeclosenesstoblock-chainbasedassets,makeasimilarlyattractivetargetforattacks.TheSolidityfounda-tionmaintainsa listofknownvulnerabilities.ListofKnownBugs, SOLIDITY,https://solidity.readthedocs.io/en/v0.5.12/bugs.html[https://perma.cc/XM2S-DAY4]. 64. See generally DEFILIPPI&WRIGHT, supranote 33, at 33–49; Theophanis C.Stratopoulos& Jesús Calderón, Introduction to Blockchain for Accounting Students(Aug. 20, 2020) (unpublished manuscript), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3395619 [https://perma.cc/6YP7-NZ8B];DYLANYAGA,PETERMELL,
332 MINNESOTALAWREVIEW [105:319
changesinthesystemandalgorithmsthatensureconsistencyofdataacrossstoragelocations.
Ablockchainidentifiesdatarecordsbyhashes:theoutputofanalgorithmcalleda cryptographichash function.65This easy-to-com-pute equation takes potentially voluminous data as input and pro-ducesashort,fixed-length,output—thehash.Critically,therearenoknownmethodstoeasilyperformthereversecomputation.66Itissim-ilarlyhard to find twodifferent setsofdata thatwhen fed into thefunctionbothproducethesamehash.67Thiscreatesatiebetweentheinput data and the hash. The hash acts as the “name” of the block,uniquelyidentifyingitbyitscontents.
Dataisorganizedintoblocks,witheachblocklinkingtoasetofstoreddata.Eachblockcontainsahash(belowinbold)correspondingtothestoragerecordslinkedtotheblockandthehashofthepreviousblock(shownas“prev”).
Ablock’shashiscomputedbyfeedingthecontentsoftheblockintothehashfunction.Thehashthereforeisstronglytiedtothedatawithintheblock,andalsotiestheblocktothosethatcomebefore.Thispropertyensuresanorderingtotheblocks,creatingthechainaspectofablockchain.Updates(proposedoraccepted)toablockchainaregenerallycontainedwithin “transactions,” small setsofmachine in-structions or transactional records that comprise the data withinblocks.Ablockisassociatedwithtransactiondatathroughanaddi-tionalhashstoredwithintheblock,inourfigurethishashisdepictedasH(data).68
NIKROBY&KARENSCARFONE,NAT’LINST.OFSTANDARDS&TECH.,INTERNALREPORT8202,BLOCKCHAIN TECHNOLOGY OVERVIEW (2018), https://doi.org/10.6028/NIST.IR.8202[https://perma.cc/8E82-6GQR]. 65. Yagaetal.,supranote64,at7–13;Stratopoulos&Calderón,supranote64,at34–40. 66. Note:thecryptographichashfunctionsusedforsystemssuchasblockchainsbearadditionalsecurityproperties.See JONATHANKATZ&YEHUDALINDELL,INTRODUC-TIONTOMODERNCRYPTOGRAPHY128–30(2007). 67. Itwouldtakearound720timestheageoftheuniversetofindacollisionforitshashfunction.SeeAshifShereef,APhysicist’sJourneyintoCrackingtheBitcoin,HACK-ERNOON(Mar.27,2018),https://hackernoon.com/a-physicists-journey-into-cracking-bitcoin-4631e57158cc[https://perma.cc/LTS6-M4BC]. 68. Thehashoverthedata iscomputedwiththeaidofanadditionalstructureknownasaMerkleTree.ThepropertiesofaMerkleTreeallowonetoeasilynoticeifthecontentsofaparticulartransactionhavechangedwithoutcheckingtheentiretyof
H1
prev: H0 H(data)
H2
prev: H1 H(data)
H3
prev: H2 H(data)
2020] TRANSACTIONALSCRIPTS 333
Usingachainasapublicandtrustedrecordrequiresamecha-nismtoachieveconsensusonthecontentsoftherecord.Participantsfollowawell-definedsetofrulesthatallowthemtoagreebothonthevalidityofaparticularchain,andtheordering(andacceptability)ofanyproposedupdatestothechain.69Participantsconnecttoonean-otherovertheinternet,formingasubnetworkwithinthelargernet-work.Participantssendandreceivemessagesinasetformattoindi-catetheirresponsestoproposedchangestotheblockchain.
Theblockchainrecordseachupdatethathaseverhappenedtothedataitstores.Byviewingtherecordofchanges,aviewercanac-cessthehistoricalstateofthechain.Thecontentsofablockchainarefixedonlysolongastheparticipantsagreeaboutwhatconstitutestheset of previous transactions. 70 Moreover, while the record of pasttransactionsmaybeunchanged,afuturetransactionmaymodifytheledgertomakethemostrecentcontentsidenticalinsubstancetothecontentsatapriortime(differingrecordsofthepastnotwithstand-ing).
Protocolscommonlyfeaturevalidatorswhovieforthescarceop-portunitytosubmitthenextblocktothenetwork.71Thosethatsuc-ceedataddingablockclaimareward.72Acapontheamountofdatathatcanbestoredinasingleblock,incombinationwiththerestrictedopportunitiestoaddblocks,limitsthenumberoftransactionsthatcanbeprocessedinaunitoftime.73
the data. See Shaan Ray, Merkle Trees, HACKERNOON (Dec. 14, 2017), https://hackernoon.com/merkle-trees-181cb4bc30b4[https://perma.cc/M9CV-GDJW]. 69. Theserulesaretheprotocolgoverningthesystem.SeeGrimmelmann,supranote33,at8. 70. Forks serve as an “ever-present escape valve” frommajority consensuseswithwhichaminorityofblockchainparticipantsdisagree.Haqueetal.,supranote52,at34. 71. Insuchprotocols,asubspeciesofvalidators,miners,arealsogiventheoppor-tunitytomintanewunitofthecorrespondingcryptocurrency,updatingtheledgertograntthemownershipoverthenewcoin.Id.at149. 72. Opportunitiestoaddblocksareallocatedaccordingtotheconsensusscheme,thetwomostpopularofthesebeingProof-of-Work,whichprobabilisticallyallocatesopportunities based on amount of computational effort spent, and Proof-of-Stakewhichprobabilisticallyallocatesopportunitiesinproportiontoaminer’sstakedcryp-toasset. 73. Dubbedthescalingproblem,maximizingtransactionthroughputisahighlyactiveareaofresearch.Proposedsolutions includemovingcertain transactionsoff-chainandothernovelprotocoldesigns.See,e.g.,ConnorBlenkinsop,Blockchain’sScal-ing Problem, Explained, COINTELEGRAPH (Aug. 22, 2018), https://cointelegraph.com/explained/blockchains-scaling-problem-explained[https://perma.cc/PC48-3H75](givinganoverallexplanationofthescalingproblemandpresentingoff-chaintransac-tionsasapossiblesolution).
334 MINNESOTALAWREVIEW [105:319
Anindividualwishingtotransactviathenetworksubmitstheirproposedtransactiontothepeer-to-peernetworkandindicateshowmuchtheyarewillingtopay(incryptocurrency)tohavetheirtrans-actionprocessed.74Validatorswillprocesssuchuser-submittedtrans-actions,claimingassociatedprocessingfees.75Thesizeofthefeeisin-verselycorrelatedwithhowlongthenetworkwilltaketoprocessthetransaction,asalargerfeemorestronglyincentivizesvalidatorstoin-cludethattransactionwithinthenextblock.76
Blockchainledgerentriesareassociatedwithidentifiersknownas addresses, which determine who controls particular ledger en-tries.77Digitalkeysthatgrantcontroloverassets(ordata)storedinagivensetofentriesarestoredin“wallets,”whicharefilesorprogramscontainingthesekeys.Colloquially,someequatecontrolwithowner-ship,whichiswhyyou’llhearaboutawallet’s“owners.”Ofcourse,ac-cessandtheabilitytomodifydoesn’tnecessarilymeanownership,un-less that apartment key you gave your dog walker was moresignificantthanyouthought.Atitscore,acryptoassetisnothingmorethananentryintheledger,securedwithasetoffancytoolsthatmeanonlythosepeoplewhoknowtheaccessdigitscanchangeitscharac-teristics.
Finally,publicblockchainsaretypicallydesignedsothatvalida-torsorotheruserscanunilaterallyjoinandleavethenetwork.Per-missionedblockchainstakea fundamentallydifferentapproach,ad-mitting only preapproved validators to the consensus formingprocess.Whilepotentiallyusefulforaconsortiumofknownparties,or for usewithin an individual business, permissioned blockchains
74. Insomesystems,portionsofthetransactionfeemaybeoptional,butthismayresultinthenetworkfailingtoeverprocessatransaction. 75. Cf.RebeccaBratspies,CryptocurrenciesandtheMythoftheTrustlessTransac-tion,25MICH.TECH.L.REV.1,20–21(2018)(indicatingthatindividualtransactionfeesincreaseasthenetworkloadincreases,leadingtotransactionfeesover$55dollarspertransactionatonepointforBitcointransactions). 76. Id.; seealsoFILIPLUNDIN&FREDRIKRAHM, EVALUATINGRISKANDREWARDFORVALIDATORSINACRYPTOCURRENCYPROOF-OF-STAKENETWORK11–12(2018)(explainingthe inverse relationshipbetweenvalidators incentivizationand transactionprocessrisk). 77. Thesearenormallyderivedfromusers’cryptographickeysortheresultofahashfunctionappliedtorelevantdata.
2020] TRANSACTIONALSCRIPTS 335
relyonusers’trustinthelistvalidators,preapprovedbytheentityop-eratingtheblockchain.78Thislimitstheiruseinthelow-trustmarket-place for which transactional scripts are most often touted. 79 Wethereforefocusouranalysisonthe“permissionless”ecosystem.80
C. ETHEREUMANDSCRIPTINGBitcoinisanawkwardcommercialplatform,mostlyusefulforre-
cording and facilitating the flow of bitcoin transactions.81Realizingtheutilityofperformingmorecomplexoperationsonablockchain,a
78. See Sklaroff, supra note19, at276–77n.50 (“[T]he advantagesof [permis-sioned]blockchainsexistintandemwithrelianceonofflineidentity....[P]articipantson permissioned blockchains are typically bound by off-chain, real-world agree-ments[.]”(internalquotationsomitted)). 79. MostcommentersagreewithIanKane,COOofTERNIO,inthinkingthat“per-mission[ed]blockchainshavetheirplacespecifically inanenterpriseenvironment.”ShehryarHasan,PrivateBlockchainsAreBullshit,ExpertSays,BLOCKPUBLISHER(Jan.25,2019),https://blockpublisher.com/private-blockchains-are-bullshit-expert-says[https://perma.cc/9JDU-DDMC];seealsoJustinO’Connell,WhatAretheUseCasesforPrivate Blockchains? The Experts Weigh in, BITCOINMAG. (June 20, 2016), https://bitcoinmagazine.com/articles/what-are-the-use-cases-for-private-blockchains-the-experts-weigh-in-1466440884 [https://perma.cc/DT5Y-ENTJ] (finding thevalueofprivateblockchains is in theirability to “provide interestingopportunities forbusi-nessestoleverage[their]trustlessandtransparentfoundationforinternalandbusi-ness-to-businessusecases”);cf.EUR.UNIONBLOCKCHAINOBSERVATORY&F.,BLOCKCHAINAND THE GDPR 16 (2018), https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf [https://perma.cc/74D2-QF2X] (suggesting thatpermissionedblockchainsmightneedpermissionlessblockchainsinordertobeglob-allyinteroperable). 80. Thecomputerscienceliteratureexploresavarietyofscenariosinwhichnet-workparticipantshavegreaterorlessertrustinotherparticipants.Theseworksoc-cupythespacebetweenassuminganoverwhelmingmajorityofparticipantsarehon-estandassumingpreexisting trustedrelationshipswithothernetworkparticipants(permissionedmodels).Suchconstituteamiddlegroundbetweenpermissionedandpermissionless approaches to distributed computation, and generally represent atrade-offbetweenscalabilityandtrust.Whilelaudableeffortsreducetheleveloftrustthatitisnecessarytosacrificeforsubstantialgainsinscalability,thesesubtletiesarenotthefocusofourwork.Fortreatmentofatechniqueforscalingblockchaincompu-tationsand foradiscussiononotherapproaches, seeHarryKalodner,StevenGold-feder,XiaoqiChen,S.MatthewWeinberg&EdwardW.Felten,Arbitrum:Scalable,Pri-vateSmartContracts,27PROC.USENIXSEC.SYMP.1353,1353(2018). 81. WhileBitcoincanbescriptedtoperformsophisticatedtasks,doingsoischal-lenging.Coderswishing todosomustworkagainst the limited functionalityof theplatform. JacquiFrank&SaraSilverstein,VitalikButerinCreatedOneof theWorld’sLargestCryptocurrenciesinHisEarlyTwenties—Here’sHowHeDidItandWhy,BUS.IN-SIDER (Feb. 13, 2019, 6:22 AM), https://www.businessinsider.com/vitalik-buterin-created-ethereum-one-of-the-worlds-three-largest-cryptocurrencies-2019-1[https://perma.cc/TD7K-XJRN](relayingButerin’sbeliefthatBitcoinisalimitedfunc-tionalitymedium).
336 MINNESOTALAWREVIEW [105:319
programmer named Vitalik Buterin proposed and developedEthereum,ablockchainbasedcomputingplatform,withanassociatedcryptocurrency,Ether.82Theprotocol’sexplicitgoalwastopermiten-hancedscripting—morecomplicatedlogicaloperationsthanrecord-ingownership—onablockchain.EthereumusestheEthereumVirtualMachine(EVM)—asoftwaresystemwithpredefinedrulesandopera-tions,whichyoucanthinkofasasimulatedcomputer.83
TheEthereumVirtualMachineenablesprogramstostoredataontheEthereumblockchainanddefinedhowtheoriginaldatacouldbemodified.84 By the nature of the blockchain, all data is public andthereforereplicable;theEVM,however,allowsdeveloperstorestricthowthedatamaybemodified.Storageandcontrol,inturn,createdtheplatformfortransactionalscripts.ScriptsareprogramsoperatingonEthereum,whichwhenexecuted(or“called”)affecttheledgerit-self.
82. Onthevariouskindsofcryptocurrenciesandtheirrelationshiptomonetarypolicy,seeMaxRaskin,FahadSaleh&DavidYermack,HowDoPrivateDigitalCurren-ciesAffectGovernmentPolicy?(Nat’lBureauofEcon.Rsch.,WorkingPaperNo.26219,2020). 83. Kolber,supranote25.Solidity,themostcommonlanguageusedtoprogramEthereumtransactionalscriptsisTuringcomplete,meaningitcanintheoryperformanyprogram.Thisislimitedonlybytherestrictionstheprotocolplacesoncomplexitytomitigatedenialofserviceattacks.SeeNiharikaSingh,TuringCompletenessandtheEthereumBlockchain,HACKERNOON(Feb.16,2019),https://hackernoon.com/turing-completeness-and-the-ethereum-blockchain-c5a93b865c1a [https://perma.cc/7EU5-EVXP].TheEVMdrawsitsinspirationfromcommonmodelsofcomputerarchitecturewithmodificationsthatensuretheintegrityofscripts’code.Whilethisarchitectureisforeigntothecomputersonwhichthesoftwareruns,itissimulatedbywayofthevir-tual machine. See Preethi Kasireddy, How Does Ethereum Work, Anyway?, MEDIUM(Sept. 27, 2017), https://medium.com/@preethikasireddy/how-does-ethereum-work-anyway-22d1df506369[https://perma.cc/5G3V-MCDM]. 84. ForamorecompletediscussiononthelimitsoftheBitcoinmodel,seeCon-senSys,ThoughtsonUTXObyVitalikButerin(Co-FounderofEthereum),MEDIUM(Mar.9, 2016), https://medium.com/@ConsenSys/thoughts-on-utxo-by-vitalik-buterin-2bb782c67e53[https://perma.cc/78P6-GRDJ].Asagentsareabletomanipulatetherecordsstoredontheblockchain,transactionalscriptsareabletotransfervaluecon-tingentonthoserecords.Thisisthetruesourceoftheirutilityoverothertypesofpro-gramsthatinteractwithdistributeddatabases:thetightintegrationofanassetstoragemechanism(cryptocurrenciesandcryptoassets)withaprogrammaticwaytotransferownership(transactionalscripts).Thecouplingofthetwoensuresthatthevalueoftheassetisconditionalonplayingbytherulesofthegame—whichinturnprovidescertainassurancesthatthecontractswillbeexecuted.
2020] TRANSACTIONALSCRIPTS 337
TheinstructionsetprovidedbyEthereumisaspowerfulandex-pressiveasanyotherprogramming language.85If limitsarenot im-posed on transactional script running time and resource require-ments, a malicious actor could force validators to perform neverendingcomputations,haltingallusefulworkonthechain.Validatorsmust also be incentivized to spend their computational resourcesevaluatingscripts.Ethereumthereforeimposeswhatwetermacom-plexitytax:transactionfeesproportionaltothecomputationrequiredbyatransaction.86Thisfeeisknownasgasandispaidinfractionalamountsofether.87TheEthereumprotocolspecifiesahardlimitonhowmuchgasmaybeconsumedbyasingletransaction.88Thus,theamount of gaspaidper transaction isdeterminedby theEthereumprotocol,whiletheexchangerateisdeterminedbytheuser.Theusermustalsopre-paygasthatintheirestimationwillsufficientlycovercosts. If thispre-payment is too low,andthere is insufficientgastocompletelyexecutethescript,thescriptwillterminatewithoutare-fund.89
Thereare70differentoperationsunderstoodbytheEVM,eachofwhichisassociatedwithacost,basedontheamountoftimeandenergyittakesavalidatortoexecutetheoperation.Hereareonlyafew,withtheirassociatedcosts.
85. Ethereum scripts require special purpose languages and tools to deploy.Thereisactiveresearchindesigninglanguagesthatfacilitatebetterdevelopmentprac-tices.SeegenerallyMudabbirKaleem,AnastasiaMavridou&AronLaszka,Vyper:ASe-curityComparisonwithSolidityBasedonCommonVulnerabilities,2NDCONF.ONBLOCK-CHAINRSCH.&APPLICATIONSFORINNOVATIVENETWORKS&SERVS.,June14,2020. 86. SeeBrunoSkvorc,Ethereum:HowTransactionCostsAreCalculated,SITEPOINT(May 24, 2018), https://www.sitepoint.com/ethereum-transaction-costs [https://perma.cc/NAU4-RTYJ] (describing the proportionality of gas costs in Ethereum’sstructure). 87. ForadetailedexplanationoftheinternalmechanismsofEthereum,seegen-erallyKasireddy,supranote83. 88. Atthetimeofwriting,thiswassetatapproximately8milliongas(withanupcomingchangeto10milliongas),equivalenttoapproximately$2USDatagaspriceof1Gwei(billionthsofanETH). 89. Existingliteraturedescribesthecomplexitytaxingeneraltermswithoutelab-oratingonitsexactcosts.See,e.g.,ThibaultSchrepel,IsBlockchaintheDeathofAnti-trustLaw?TheBlockchainAntitrustParadox,3GEO.L.TECH.REV.281,292(2019)(not-ing thatEthereumrewardssuccessfulminerswith transaction fees);Sklaroff,supranote19,at293n.139(describingthe“supplyanddemanddynamic”createdanditspolicingeffectson“buggyorinfinitelyrecursivecode”);id.at294n.143(“[T]hissolu-tionwouldbeprohibitivelyexpensivefromatransactionfeeperspective....”).
338 MINNESOTALAWREVIEW [105:319
OperationName
MaxCost(Gas)
Cost($)/1millionoperations90 Effect
ADD 3 ~$30 Addstwonumberstogether
MUL 5 ~$50 Multipliestwonum-bers
SSLOAD 200 ~$2000Loadasinglenum-berfrompermanentstorage91
SSTORE 20000 ~$200,000Storeasinglenum-berintopermanentstorage
Themostexpensiveoperation,SSTORE,updatesdatathatconsti-
tutetheEthereumledger’smemory.92Asitaddstothelong-termcostofstoringtheledger,theprotocolimposesasubstantialup-frontfee.
Datastorageonapublicledgerformsakeycomponentofmanyproposedblockchainuse-cases,93butitisfinanciallycostlyincompar-isontogeneralpurposestorage(whichisavailablefromcommercialprovidersonayearlybasisatapproximatelyone-ten-millionthofthecostofEthereumbasedstorage).94Similarly,theprocessorinatypicallaptop performs on the order of billions of operations per second,
90. Thesefiguresarecalculatedatthedefaultgaspriceof3 × 10!"gas/ETHandanexchangerateof$295USD/ETHandareroundeduptoonesignificantfigure.SeeDanny Ryan,Calculating Costs in Ethereum Contracts, HACKERNOON (Sept. 6, 2017),https://hackernoon.com/ether-purchase-power-df40a38c5a2f[https://perma.cc/6SUH-ADGR]. 91. ThemaximumvalueonwhichtheEVMoperatesoninasingleoperationis2^256.Outsideof technical reasons for this choice, this limitprevents coders fromstoringalltheirdatarepresentedasonehugenumberinanattempttopaylowergascosts. 92. SeeTingChen,XiaqiLi,XiapuLuo&XiaosongZhang,Under-OptimizedSmartContractsDevourYourMoney,2017IEEE24THINT’LCONF.ONSOFTWAREANALYSIS,EVO-LUTION&REENGINEERING,Mar.11,2017(indicatingthatSSTOREisparticularlyexpen-siveamongsmartcontractoperationsintheEthereumVirtualMachine). 93. Evenforsystemsthatpurporttostorethebulkofdataoff-chain,thecostofstoring references to the off-chain data necessitates a cost-benefit approach to as-sessingtheviabilityofablockchainbasedsolution.SeeMEDICALCHAIN,WHITEPAPER2.1,at1,14(2018),https://medicalchain.com/Medicalchain-Whitepaper-EN.pdf[https://perma.cc/KSC8-AUS4](observingthatwhilerecordsthemselvesarestoredoffchain,eachupdatetoarecordnecessitatesstoringanewvalueontheblockchain);seealsoARMANJABBARI&PHILIPKAMINSKY,BLOCKCHAINANDSUPPLYCHAINMANAGEMENT(2018),http://www.mhi.org/downloads/learning/cicmhe/blockchain-and-supply-chain-management.pdf [https://perma.cc/925L-X9R7] (envisioning large-scale supply-chaindatastorageontheblockchain). 94. SeeAmazonS3Pricing,AWS,https://aws.amazon.com/s3/pricing [https://perma.cc/4VHU-77H6].
2020] TRANSACTIONALSCRIPTS 339
whichwouldequatetohundredsofdollars’worthofcomputationsonEthereum.95Gascostsdon’tstemfromtheregularunitcostofstoringachunkofdataorperformingacomputation.96Theyareartifactsofthereplicatedworkandstorageusedtomaintainandvalidateconsen-sus.97
This complexity taxhas limited,but real implications.Wecon-cedethatneitherstoragenorcomplexprogrammingarewhatblock-chainsarefor,andsuchspecialpurposetoolsshouldn’tbeevaluatedincomparisonwithtraditionalcomputers.Butit’simportanttorecog-nizethatforsomeproposedusesoftransactionalscripts—suchasen-codingsemanticframeworkslikediscretion,goodfaith,andbestef-forts—publicblockchainsolutionsincursignificantcosts.98
Theresultofsuchcostsisthatitispracticallyimpossibletorunsomekindsofscriptsinpublic.Manyreal-worldcomputationaltasks(searchingandsortinglargeamountsofdata,machinelearning,opti-mization) require non-trivial amounts of computational powerand/ordatastorage.Forexample,thoughitwouldbepotentiallyuse-fultowriteascriptthatusedanalgorithmtodetermineifaworkerhadusedherbestefforts,andthenpayherforhertime,thatkindofcomputationisnotpracticalotherthanbydelegatingthecomputationtoanagent“off-chain.”99Currentscriptsthusgenerallycontainonly
95. Somesitesindicatethatmodernprocessorsprocessoperationsatthetensofbillionsoffloating-pointoperationspersecond.Onthescaleofourillustrations,thatiscomparablewiththebasicarithmeticoperationsoftheEVM.See,e.g.,CPUPerfor-mance, ASTEROIDS HOME, https://asteroidsathome.net/boinc/cpu_list.php [https://perma.cc/39EF-LGL6]. 96. NotedblockchainresearcherEminGünSirercorrectlynotesthatcostsofstor-ing the blockchain itself are negligible on a per node basis. Emin Gün Sirer(@el33th4xor),TWITTER(Nov.29,2019,1:13PM),https://twitter.com/el33th4xor/status/1200477778463907841[https://perma.cc/2HDN-CCL5].Ourconcernishowthiscostismagnifiedbycurrentconsensusprotocols. 97. TheseparticularcostsaredistinctfromthecomputationalcostincurredbyProof-of-Work style consensus algorithms that establish consensus in the first in-stance.Rather, theneed to check thevalidityof theoutput fromcomputationsandmaintaincopiesoftheoutput(toallowfailurerecovery),imposeacostthatispaidexantebyataxonexpensivecomputations. 98. WhileSklaroffnotesthepotentialhighexantecostofdevelopingcontractsflexibleenoughtoincorporatelegalframeworks,weherequantifythosecosts,focusontheongoingtaxesimposedbytheblockchainparadigm,andexpandoncodingreal-itiesthatfurtherdrivedevelopmentcosts.Sklaroff,supranote19,at279. 99. Off-chaintransactionsarethosethatmovevaluefromtheblockchaintobeprocessedexternally.Suchtransactionsmayeventuallybereconciledandintegratedbackontothechain.SeeOff-ChainTransactions,BITCOINWIKI(June18,2019,4:43AM),https://en.bitcoin.it/wiki/Off-Chain_Transactions[https://perma.cc/9YD3-VWLQ].
340 MINNESOTALAWREVIEW [105:319
thesimplestofif-thentypelogic.100Ausefulanalysisofthelegalsig-nificanceofourscriptsrequiresaclear-eyedevaluationastothelikelyfutureusesandlimitationsoftheform.
There is a robust technical literature exploringmechanisms toavoidthecomplexitytax.Butmostproposalstomitigatecoststrade-offbetweenthesecurityandtransparencyoftheon-chainmodel,andtheefficiencyattainableunderframeworksthatassumemoreonthepartofotherprotocolparticipants.101Whiletherearesomeimprove-mentsthatcanbemadetoefficientlyscaleblockchainswithoutcom-promisingthepromiseoftrulytrustlessexchange,102themosteffec-tive solutionswill inevitably delegate the bulk of computation andstoragetosmallersubsetsofthenetworkoreventonon-participantsoffchain.103
Thecomplexitytaxthusproducesarealhurdleforcertainkindsof complex contracting. There are known techniques to reduce thecostofmostcomputations,butfindingawaytominimizeblockchaindatastoragecostswhileensuringthedataisaccessibleondemandisanopenproblem.104Firmsconsideringoff-chainsolutionsmustthere-
100. Thequarrelsomereadermaynotethatallimperativeparadigmprogrammingadherestoanif-thenparadigm.Wemerelynotethepaucityofsophisticationinscriptscurrentlydeployed.Forabriefdiscussionondifferentprogrammingparadigms,seeJing Chen, A Brief Survey of “Programming Paradigms,” MEDIUM (Apr. 11, 2019),https://medium.com/@jingchenjc2019/a-brief-survey-of-programming-paradigms-207543a84e2b[https://perma.cc/V3WE-HECF]. 101. For an analysis of various designs facilitating off-chain computation by asmallernumberofnodesandreducingthecostimposedbylargescalereplicationofwork,seeLewisGudgeon,PedroMoreno-Sanchez,StefanieRoos,PatrickMcCorry&Arthur Gervais, SoK: Layer-Two Blockchain Protocols, https://eprint.iacr.org/2019/360.pdf[https://perma.cc/N9MZ-CK3U].SeealsoKyleCroman,ChristianDecker,IttayEyal,AdemEfeGencer,AriJuels,AhmedKosba,AndrewMiller,PrateekSaxena,ElaineShi,EminGünSirer,DawnSong&RogerWattenhofer,OnScalingDecentralizedBlock-chains,inFINANCIALCRYPTOGRAPHYANDDATASECURITY106,106–10(JeremyClark,Sa-rahMeiklejohn,PeterY.A.Ryan,DanWallach,MichaelBrenner&KurtRohloffeds.,2016). 102. Oneproposalthatsucceedsinmaintainingatrustlessnetworkwhileimprov-ingsubstantiallyonscalingistheAvalancheProtocol,whichproposesanalternativetoproof-of-work.SeeTeamRocket,MaofanYin,KevinSekniq,RobbertVanRenesse&EminGünSirer,ScalableandProbabilisticLeaderlessBFTConsensusThroughMeta-stability(Aug.24,2020)(unpublishedmanuscript),ARXIV:1906.08936.Howeverevenprotocols thatminimize computational costs such as Avalanche and Arbitrum stilldon’trealizethepromiseofeffectivelyfreetransactionalscripts.SeeKalodneretal.,supranote80,at1353–54(givingadescriptionofArbitrum). 103. ImportantlyforouranalysisofbuggyscriptsinPartIII,infra,evenwhereoff-chainscalingtechniquesareadopted,thecoderemainspubliclyaccessible. 104. SeeCromanetal.,supranote101,at108–10.
2020] TRANSACTIONALSCRIPTS 341
foreaskwhetherthegameisworththecandle.Thatis,publicblock-chains have important virtues: primarily, they enable trustless ex-change between pseudo-anonymous counterparties. Blockchain-basedalternativesmaynothavethosevirtues.
D. CODINGONETHEREUMWenowreturntoourcoders’workandfocusonhowtheywrite
transactionalscripts.Let’ssupposethatateamofcodershasauthoredhigh-level code and run that code through the compiler, producingbytecodethatcannowbeexecutedontheEVM.
Iftheyareresponsible,theymustnowtesttheprogram;onlyaf-tertestingwillitbedeployed.Duringdevelopmentprogrammerswillgothroughmany,manycyclesofcoding,compilingandtesting,find-ingbugsandareasthatneedimprovement.105
105. Cf.RichButkevic,TheLifecycleofaSoftwareBug,OPENSOURCE(June25,2018),https://opensource.com/article/18/6/life-cycle-software-bug[https://perma.cc/2FMU-YVKE](describinghowdevelopmentteamsfixbugs).
342 MINNESOTALAWREVIEW [105:319
Tomakethediscussionmoreconcrete,wepresenttheStagedContractscript,writteninSolidity,andexplainhowitisprocessedbythevir-tualmachine.Itillustratesasimpledeal:theownerofthescriptagreesto pay forwork in increments of 1ETH as the recipient completesstagesofsomeoff-chainjob.106Therecipientcanclaimpaymentforeachstagewithouttheinterventionoftheowneruptothetotalvalueofthecontract.
106. Notdepictedisamechanismfortheownertoincreasetheamountofpaymentavailableovertime.
Figure2:TransactionalScriptinSolidity
2020] TRANSACTIONALSCRIPTS 343
StagedContract also allows the recipient to offer a discountthroughthediscount()functionwhichtheownercanapproveviatheapproveDiscount()function.Illustrativeofthecomplexitytax,attimeofwriting,itcost$1.30todeploythescriptand$0.08toexecutethecompleteStage() function even once. (Imagine using this script forpaymentofhundredsofthousandsofgigworkers.)
Likemostcomputerprograms,Solidityrequirestheavailabilityof fundamentalcomputationalstructures:107basicarithmeticopera-tions, operations to access andmodify some form ofmemory (the“state”), away to input/outputdata, and crucially, amechanism tochoosebetweendifferentpossibleexecutionpathsbasedonthestateofthecomputer.ThesearethekeyelementsimplementedbytheEVM.
Eventhisverysimplescriptrequiresexpertisetoconceiveof,im-plementanddeploy.Itrequiresstillmoreexpertisetorecognizethatitcontainsaseriousbug.Notingthat ifan integergrowsorshrinksbeyond the limit set by the EVM (overflow and underflow respec-tively),theintegerresets,asneakyrecipientcouldmountthefollow-ingattack:108
1. Therecipientoffersadiscountthatreducesthecostofthejob
tonothing,whichthegreedyownerreadilyaccepts.
2. Therecipientoffersanadditionaldiscountinadvanceoffu-tureworkandwaitsuntiljustbeforetheownerapprovesit.
3. The recipient quickly engorges their discount to themaxi-mumsizepermittedbytheEVM.
4. Theunsuspectingowner fails tonotice the changeandap-provestheoversizeddiscount,reducingthesumavailableforpaymentsomuchthatitunderflows—resettingtheamountavailableforpaymenttothemaximumvaluepermittedbytheEVM.
5. The recipient now executes completeStage() repeatedly,emptying the script of its Ether, without running into thelimit.
107. These,alongwiththeabilitytoexecuteloops,arealsotheelementsthatper-mittheEVMtosupportaTuringcompletelanguage.SeeSingh,supranote83. 108. Whilethescenarioisadmittedlycontrived,itservestoillustratethedifficultyofwritingcorrectcode.
344 MINNESOTALAWREVIEW [105:319
ThisisbutoneofmanywaysinwhichthespecificsoftheEVMcantripupotherwisecode-literateindividuals.
Theparticularproblemforscriptsisthatwhentheyarealreadyonblockchainandpartieshavebeguncommittingassets,theycan’tbeeasily modified (at least without pushing out a unilateral updatewhichmightcauseseriousreputationalblowback).109Therefore,wisedeveloperswouldfirsttryitouton“testnets,”smallscaleblockchainsreplicatingthebehavioroftheirlargersiblings,butwithoutthegoalof preserving immutability or value long term.110Testnets are alsousedtotrialchangestothecoreprotocolofablockchain,withoutim-pactingexistingusers.111Testnettransactionsaregenerallyfree.112
Whenadeveloperisreadytotesttheirtransactionalscript,eitherontherealnetworkoronthetestnet,theysubmitaspecialtransactiontothenetwork.Thetransactionincludesthebytecodeofthetransac-tionalscript,anamountofgastopayforthedeployment,andawalletfromwhichthegaswillbetransferredout.Thetransactionalscriptisthenstoredontheblockchain,anditscomponentfunctionsandstor-agecanbeaccessed.
Modern programming languages, including Solidity and theEthereumEVM instructionset, separatesegmentsof code thatper-formdiscreteoperationsinto“functions,”eachofwhichrequireade-veloperusingthefunctiontoprovidecertaininputs.Onceafunctionfinishesexecuting,itproducesanoutputwhichisprovidedtoeithertheuseror,ininstanceswhereafunctionisexecuted(“called”)withinanotherfunction(the“caller”),theoutputisavailableforusewithinthecaller.Tocallafunction,thecallermustalsoincludegassufficienttopayfortheexecutionofthecallee(andinarecursivefashionforanyfunctionsthecalleemightcall).
109. SeeAndrewChow,CommenttoWhyIsItImpossibletoModifyaTransactioninthe Blockchain, STACKEXCHANGE: BITCOIN (Mar. 30, 2018, 5:02 PM), https://bitcoin.stackexchange.com/questions/73229/why-is-it-impossible-to-modify-a-transaction-in-the-blockchain[https://perma.cc/H65D-AGLA](“Overall,modifyingtransactionsalreadyintheblockchainrequiresreminingblocks,andafteratransactionalreadyhasafewconfirmations,doingthisrequiresimmenseamountsofcomputingpower.”). 110. Testnet, BITCOIN WIKI (Apr. 14, 2020), https://en.bitcoin.it/wiki/Testnet[https://perma.cc/5743-J2KZ]. 111. SeeMyEtherWallet,Understanding Blockchain Changes: Testnets andMain-nets, MEDIUM (May 26, 2019), https://medium.com/myetherwallet/understanding-blockchain-changes-testnets-and-mainnets-c2171a8e835f [https://perma.cc/C5ZL-J7DN](indicatingthepotentialusesoftestnets). 112. Seeid.(“[I]nEthereum’scase,thegaspaymentfortestnetcomputationsdoesnotcostany‘real’money....”).
2020] TRANSACTIONALSCRIPTS 345
Thisallassumesthecodershaveimplementedeachstepofthisprocesscorrectly.But,astheStagedContractexampleillustrates,er-rorscanbesubtle.Theresimplyisnofoolproofmethodtogeneratesoftwarethatmatchesitsinitialspecification.113Further,evenassoft-wareispatchedtoremoveoldbugsmanynewbugscreepin,andsoft-waredoesnotconvergetoabug-freestate.114
Penetration testing and security auditing are other importantcomponentsofsophisticatedsoftwaredevelopment.Specializedsecu-rityengineersattempttofindandexploitsecurityflawsandassessthequalityofcodeasrelevant tosecurity.115However, security failuresbedevileventhebestauditedsoftwarepackages.116Therealtestforcode, particularly when designed to operate adversarial environ-ments,comesonlywhenitisdeployedandused.Itisoftenonlywhenthecodemeetstheroadthatdevelopersfindthebulkofbugs,improv-ingontheircodebyconstant iteration.117Eventhen,vulnerabilitiesmayremainlatentforlongperiodsoftimepriortodiscovery.118
113. SeeWenboGuo,DongliangMu,XinyuXing,MinDu&DawnSong,DEEPVSA:FacilitatingValue-SetAnalysiswithDeepLearningforPostmortemProgramAnalysis,28PROC.USENIXSEC.SYMP.1787,1787(2019)(remarkingontheinevitabilityofflawsinsoftware). 114. SeeSaenderA.Clark,TheSoftwareVulnerabilityEcosystem:SoftwareDevel-opmentintheContextofAdversarialBehavior(2017)(Ph.D.dissertation,Universityof Pennsylvania), https://repository.upenn.edu/cgi/viewcontent.cgi?article=4019&context=edissertations[https://perma.cc/G87G-JWR6]. 115. Duetothelevelofspecializationrequired,suchengineersortestersarecon-tractedfromboutiquefirms,withfeescomparabletothoseofhigh-endlawyers.Thisputsmanywell-performing service firmsoutside theprice rangeof themajorityoftransactionalscriptdevelopers.Seeekotysh,HowMuchDoesaSmartContractAuditCost?, REDDIT (July 24, 2017, 11:03 PM), https://www.reddit.com/r/ethdev/com-ments/6pdgvd/how_much_does_a_smart_contract_audit_cost[https://perma.cc/GL7T-ATHS]. 116. OpenSSL,oneofthemostscrutinizedsoftwarepackages(andwhichunderliesmuchofthecryptographyusedtosecuretheInternet),hasdisclosedoverelevenhigh-severityvulnerabilitiessince2014,despitehavingbeencreatedpriorto2002.SeeVul-nerabilities, OPENSSL, https://www.openssl.org/news/vulnerabilities.html [https://perma.cc/97CK-XMD5]. 117. Someexpertsestimatethedensityofbugsis10to50bugsperKLOC(1000lines of code). EvenMicrosoftwith its sophisticateddevelopmentpractices still re-leasescodewithabugdensityof~0.5perKLOC.Thisisequivalenttotens-of-thou-sandsofbugsinamodernoperatingsystemcompiledfromtens-of-millionsoflinesofcode.SeeSTEVEMCCONNELL,CODECOMPLETE:APRACTICALHANDBOOKOFSOFTWARECON-STRUCTION 652 tbl.27-1 (2d ed. 2004), http://aroma.vn/web/wp-content/uploads/2016/11/code-complete-2nd-edition-v413hav.pdf[https://perma.cc/9QXQ-NQVL](showingtherangeofdefectdensities). 118. SeeClark,supranote114,at74–75.
346 MINNESOTALAWREVIEW [105:319
These characteristics of the vulnerability life cycle pose chal-lenges fora transactional scriptdeveloper,where thereare limitedopportunitiesforsafetestingonaliveblockchainorpatchingexpost.Worse,thesemanticsoftheSoliditycodinglanguageinwhichalmostall transactional scriptsarewrittenare substantiallydifferent fromtraditionalsoftwaredevelopment,leadingtooverconfidentdevelop-ersignoringpotentialpitfallssuchasreentrancyvulnerabilitiesthatarenotpresentinmostcodingenvironments.119
Theneedforsecurityalsoimposesasecond,moremetaphysical“complexitytax:”themorecomplexatransactionalscript,theharderit istopreserveboththecoder’s intention(andtheintentionofthepersonhiringthecoderandsoon),whilenotcreatinganyinsecurities;moredevelopment timemustbeexpendedtoshoreup thecode.120Thebiggerthetransactionalscriptship,themoreeffortmustbeex-pendedtopatchtheleaks.
E. SUMMARYArecentsurveyofscriptdeveloperssuggeststhatcodersarebe-
coming increasingly aware of the problematic real-world conse-quences of howSolidity interactswithdevelopment.121Developers,manyofwhomwereworkingforfree,122hadideologicalmotives:to
119. Reentrancyvulnerabilitiesareaclassofflawwhereafunctioncallsanotherfunctionthatisexternaltothegivenscript,andthatcalleeunexpectedlycallstheorig-inal functionbeforetheoriginal functionhasfinishedexecuting.SeeKnownAttacks,GITHUB, https://consensys.github.io/smart-contract-best-practices/known_attacks[https://perma.cc/FFR3-EWAU].Programminglanguageconsiderationsthatcontrib-utetothedifficultyofdevelopingsecureandcorrectSoliditycodeincludethepotentialfor“integeroverflow”(wherethesizeofnumbersexceedsthespaceavailabletostorethem),alackofsupportfordecimalnumbersandincompleteformalspecificationofthelanguage.Seethrowies11,WhatAretheMainSecurityProblemsAssociatedwithSo-lidityLanguage?,REDDIT(Jan.18,2018,5:44PM),https://www.reddit.com/r/ethdev/comments/7rdocn/what_are_the_main_security_problems_associated[https://perma.cc/V9R9-XZ5G]. 120. SeeYongheeShin,AndrewMeneely,LaurieWilliams&JasonA.Osborne,Eval-uatingComplexity,CodeChurn,andDeveloperActivityMetricsasIndicatorsofSoftwareVulnerabilities,37IEEETRANSACTIONSONSOFTWAREENG’G772,772(2010)(expoundingonthedifficultiesoffindingvulnerabilitiesincode). 121. SeeAmiangshuBosu,Anindya Iqbal,RifatShahriyar&ParthaChakraborty,UnderstandingtheMotivations,ChallengesandNeedsofBlockchainSoftwareDevelop-ers:ASurvey,24EMPIRICALSOFTWAREENG’G2636,2652(2019). 122. Id.at2644(indicatingthatdevelopersreportedtheywerenotdirectlycom-pensated).
2020] TRANSACTIONALSCRIPTS 347
“createadecentralizedcurrencythatcannotbemanipulatedbyacen-tralauthority.”123Thatis,“removingpowerfrombanksandgovern-ments.”124Theseweremotivated,committed,blockchainproponents.
Butthesurveyrespondentsnotedthattheabove-mentionedse-curity concerns and high stakesmade coding difficult. “Inmost ...[non-blockchain projects]when a bug appears, itwill be fixed andsoon forgotten. But in blockchain projects some bugs can be verycostlyandneverforgotten.”125Similarly,somecomplainedthaterro-neous ledgerentriesare“almost impossible” to fix.126Theseuniqueblockchain problems, when coupled with the decentralized VM onwhichsoftwareoperates,“makesitdifficulttobuildrobustsoftware.Unreliableconnections,unexpectedlatency,andmaliciousnodescre-ateahostileproductionenvironment.”127Therearealsofewproduc-tion-readytoolstoworkthrougherrorsinscripts,particularlya“reli-ableanduser-friendlydecompiler.”128
Insum:it’ssimplyimpossibletocreateperfectsoftwarethefirsttimethrough,andexistingtoolstopre-testscriptsbeforedeploymentareinadequateorextremelycostly.IrreduciblefeaturesofEthereum(andotherblockchainsdesignedusing the same logics)will rendertransactionalscriptsbuggy.Onerecentstudy,lookingonlyattheverysimpleecosystemofscriptsonEthereum,found100errorsper1000linesofcode.129Thiserrorratelikelywillincreaseasdeveloperspur-sueever-more-ambitiousEthereumprojects.Asbugsaccrueandcre-atereal-lifelosses,partieswillturntotribunalsandtothelawforre-course.Inthenextsection,weoffersomeconcreteexamplesofthisinsight.
123. Id.at2650. 124. Id. 125. Id.at2652. 126. Id. 127. Id.at2650. 128. Id.at2661. 129. SeePeterVessenes,EthereumContractsAreGoing toBeCandy forHackers,VESSENES(May18,2016),https://vessenes.com/Ethereum-contracts-are-going-to-be-candy-for-hackers[https://perma.cc/RWK5-METY](“MyreviewofEthereumSmartContracts...showsalikelyerrorrateofsomethinglike100per1000,maybehigher.”);seealso IvicaNikolić,AashishKolluri, IlyaSergey,PrateekSaxena&AquinasHobor,Finding the Greedy, Prodigal, and Suicidal Contracts at Scale (Mar. 14, 2018) (un-published manuscript), ARXIV: 1802.06038 (finding a near 3.5% vulnerability rateacrossananalysisofonemillionscripts);LudovicaMarchesi,MicheleMarchesi&Rob-ertoTonelli,ABCDE–AgileBlockChainDappEngineering(Dec.19,2019)(unpublishedmanuscript),ARXIV:1912.09074(“ThefeelingofmanysoftwareengineersaboutsuchhugeinterestinBlockchaintechnologiesisthatofunruledandhurriedsoftwarede-velopment....”).
348 MINNESOTALAWREVIEW [105:319
II.TRANSACTIONALSCRIPTSINTHEREALWORLDNowthatwehaveinhandabetterunderstandingofwhatwriting
atransactionalscriptentails—andwhereerrormightcreepintothatprocess—let’sconsiderthreetypicalusecasesofscriptsinthecurrentblockchainecosystem.
A. TOKENSAbasicuseofatransactionalscriptistochangeablockchainrec-
ordtodebitacryptocurrencyfromasingleaddress’entryandcredittheentriesofotheraddresses.However,theflexibilityoftheEVMal-lows for more sophisticated types of trades, both of ether (theEthereum-definedbasecurrency)andscript-definedcryptoassets.130
ERC-20istheEthereumtechnicalstandardthatprovidesatem-plate for creating a fungible, tradeable asset, known as a token.131Suchtokensarethemostcommoncryptoasset.132Tokenbalancesarenotstoredbytheownerofthetoken.Instead,thetransactionalscriptthat created the asset updates an internal ledger of addresses andtheir corresponding tokenbalances.Belowweprovide someof thecodethatcreatessuchtokens.
130. SeeEthereumWhitepaper, ETHEREUM, https://ethereum.org/en/whitepaper[https://perma.cc/LV92-E3HC](lastupdatedJuly9,2020)(indicatingthatEthereumhas the functionality tonotonlyprocessdebit transactions,butalsomorecomplexsmart-contracttransactionsviascript). 131. Thestandardrequiresacompliantscripttoincludeamethodtodeterminethetotalnumberofsuchtokensincirculation,thenumberoftokensownedbyagivenaddress,andfunctionsthatfacilitatethetransferoftokens.SeeERC20,BITCOINWIKI(Oct.29,2018,7:46AM),https://en.bitcoinwiki.org/wiki/ERC20[https://perma.cc/4Z28-3NS4]. 132. SeeJakeFrankenfield,CryptoTokens,INVESTOPEDIA(June30,2020),https://www.investopedia.com/terms/c/crypto-token.asp[https://perma.cc/5PE9-7PZ7](describingthepopularityofcryptotokensasderivativesoftheoverarchingcrypto-currencyinfrastructure).
2020] TRANSACTIONALSCRIPTS 349
Inthefollowingscriptexcerptthevariablebalancesservesasthescript’s internal ledger of account balances. While any human canmanuallyinspecttheledger,anEthereumscriptcanonlyaccessthebalancesviathebalanceOf()functionwhichoutputsthebalanceforagivenaddress.This includes the token script itself,whichusesbal-anceOfwithinthetransferfunctiontocheckifthereissufficientbal-anceavailabletodebit,beforesubtractingthatamountfromonead-dressandcreditingtoanother.Thesetransferandbalancefunctionsaredepictedinthegraphicbelow.
Bylimitingdirectaccesstothebalances,thescriptfunctionslikeametaphoricalsealedvaultofanovelcommodity,withacorrespond-ingpublicledgerdeterminingownershipoverthecontentstodiffer-entparties.Thevaultallowsuserstoqueryandaltertheledgeronlybythemechanismscontrolledbyaseriesofbuttonsonthevault’sex-terior. The buttons correspond to the functions that a given scriptmakes available, and illustrate how evenwith a transparent vault,controloverandownershipof thecommodityultimately lies in themechanismunderlying the buttons. Likewise, exchanges of a tokencanonlybeeffectuatedthroughtheinterfaceprovidedbyitsparentscript.Intheaboveexample,thisiscapturedbythetransferfunction.
Whileasecondaryscriptmaylayeronsupplementarytermsofanexchange,theactualtransferofownershipismediatedthroughthescriptthatmaintainsthebalancesvariableforthatasset—nomattertherulesorritualsoneconstructsaroundtheoperationoftheafore-mentionedvault,theledgerremainsunderthesolecontrolofthebut-tonmechanisms.Anyflawinthemechanismisthereforepropagatedtoallusersoftheasset.
mapping(address => uint256) balances;
function balanceOf(address tokenOwner) public
view returns (uint) {
return balances[tokenOwner ];
}
function transfer(address receiver , uint
numTokens) public returns (bool) {
require(numTokens <= balances[msg.sender ]);
balances[msg.sender] =
balances[msg.sender ].sub(numTokens);
balances[receiver] =
balances[receiver ].add(numTokens);
return true;
}
This variable
matches addresses
to their balance
balanceOf() out-
puts the balance
mapped to an address
transfer() first checks
that the sender’s
balance is su�cient.
It then subtracts
tokens from the
sender’s balance and
subsequently credits
them to the receiver’s
Figure3:TokenScript
350 MINNESOTALAWREVIEW [105:319
Considerwhatwouldhappenwerethecodertoforgetthecheckensuring that adequate fundswere available. For one, a user couldtransfermoretokensthanpresentintheirbalance,allowingthemtoaccruemoretokens,i.e.,cryptoassets,thantheywouldotherwisebeentitled.Additionally,anyotherscriptusingtheassetwouldalsobeaffectedasalltokentransfersaremediatedbythiscontractthatmain-tainsandcontrolsthebalancevariable.
Of course, tokens are not merely technological artifacts. Theytaketheirvaluefromsocialconsensus:theirholdersmustthinktheywilleventuallyprovidesomeutility(evenifmerelybeingtradingin-struments). 133 To obtain that consensus, tokens are typically de-scribedandmarketedwithnatural languagetext,writtenbypeoplewhomay,ormaynot,havecodedthetokens’scripts.Inpreviouswork,weexaminedtheERC-20tokenscreatedasapartofinitialcoinoffer-ingsin2017.134
Suchofferings, looselymodeledoninitialpublicofferings,typi-cally involve theexchangeofbitcoinoranother formor cryptocur-rencyforasetofrightsembodiedinatransactionalscript.135Forex-ample,anorganizationcalledKikraised$98Min2017byofferingforsale someof10 trillion “Kin” tokens ithadcreated.136According toKik’sWhitePaper,thirtypercentofthetotalsaleproceedswereear-marked for “startup resources, technology, and a covenant to inte-gratewiththeKincryptocurrencyandbrand.”137Kikcould,anddid,embedthesepromises ina transactionalscript.Wefoundthatonavarietyofmeasures,Kik’smarketingdocumentsandcodematchedex-actly.138
Tokens—whicharealreadyofsignificantpracticalimport—thus,poseatleasttwosortsofproblemsforjurists.First,whatifthecode
133. SeeHasu,UnpackingBitcoin’sSocialContract,MEDIUM(Dec.3,2018),https://medium.com/s/story/bitcoins-social-contract-1f8b05ee24a9[https://perma.cc/6WQG-J2K2](explainingtheimportofsocialcontracttheory,andthussocialconsen-sus,intheappraisalofthevalueofcryptocurrencies). 134. SeeCohneyetal.,supranote2,at619–25. 135. Id.at593–95. 136. KhariJohnson,KikRaises$98MillioninKinCryptocurrencyTokenSale,VEN-TUREBEAT(Sept.26,2017,8:07AM),https://venturebeat.com/2017/09/26/kik-raises-98-million-in-kin-cryptocurrency-token-sale[https://perma.cc/EYA9-TN27]. 137. Cohneyetal.,supranote2,at628. 138. Id.at673app.B.ThatisnottosayKikisintheclear.ItremainsenmeshedinafightwiththeSECaboutwhetheritstokensweresecurities.
2020] TRANSACTIONALSCRIPTS 351
itself is somehow flawed,meaning that their buyers receive some-thingdifferentthantheyexpected?Second,what if thecodefailstomatchthenaturallanguagepromisesthatpurporttodescribeit?139
B. EXCHANGESSometimeonNovember15,2018,someoneplacedabuy-offerfor
atokencalled“FreeCoin”ontheTokenStoredecentralizedcryptocur-rencyexchangeat ten times theprevailingmarketrate.140Thiscre-ated a substantial arbitrage opportunity for an enterprising traderwhosubsequentlypurchasedFreeCoinatthemarketrateandresolditattheinflatedrate,realizingaprofitof0.79ETHor$267USD,whilepayingacomplexityfeeof$5.00.141Wishingtoensurethattheentiresequence of trades was completed, the second trader batched thetransactionsusingascriptguaranteedtocompleteboththebuyandselltrades,orneither.142
Thisseriesofeventsisnormalondigitalmarketplacesthattradecryptocurrency.Suchmarketplacestodayareamajorsourceofliquid-ityforcryptoassets,andconsequentlythemostpracticallyimportantpublic face of the transactional script commercial ecosystem.143In-deed,theymaybetheonlyforawhereitisobviousthattransactionalscriptsarepragmaticallyimportantmechanismsofexchange.Crypto-currencyexchangestakemultipleapproachestocustody,settlement,andordermatching,whichwenowexplore.
Unlike the “Free Coin” trade, the majority of cryptocurrencytradescurrentlyoccuroncentralizedexchanges.144Userssendeitherfiatcurrencyorcryptocurrenciestoanaccountcontrolledbytheex-change,andinreturn,theexchangepromisesto(andnormallydoes)
139. See Complaint at 13, SEC v. REcoin Grp. Found., L.L.C., No. 17-CV-5725(E.D.N.Y.Sept.29,2017)(allegingsecuritiesliabilityduetoREcoin’swhitepapermak-ingrepresentationsaboutcharitablegivingforwhich“thereisnoprogramcode”). 140. Philip Daian, Steven Goldfeder, Tyler Kell, Yunqi Li, Xueyuan Zhao, IddoBentov,LorenzBreidenbach&AriJuels,FlashBoys2.0:Frontrunning,TransactionRe-ordering,andConsensusInstability inDecentralizedExchanges1,4(Apr.10,2019)(unpublishedmanuscript),ARXIV:1904.05234. 141. Thefeewas113,265gasatapriceof134Gwei,orabout$5.Id.at5. 142. Id. 143. SeegenerallyAndreaPinna,Simona Ibba,GavinaBaralla,RobertoToneli&MichelMarchesi,AMassiveAnalysisofEthereumSmartContractsEmpiricalStudyandCodeMetrics,7IEEEACCESS78,194,78,202–06(2019). 144. See Nathan Reiff, What Are Centralized Cryptocurrency Exchanges, IN-VESTOPEDIA (June 25, 2019), https://www.investopedia.com/tech/what-are-centralized-cryptocurrency-exchanges [https://perma.cc/7D56-QPX5] (“[Central-izedcryptocurrencyexchanges]arethemostcommonmeansthatinvestorsusetobuyandsellcryptocurrencyholdings.”).
352 MINNESOTALAWREVIEW [105:319
promptlytransferanequivalentamountofarequestedasset.145Suchtrades almost always occur off-chain and are settled using the ex-change’s internal ledgers.146Exchanges do generally offer custodial“wallets”thatstorethekeystoauser’scryptoassetsforeasytrading.
Thesecentralizedexchangescould,butinmostcasesdonot,usetransactionalscripts.147Rather,theyactasmarketmakers,facilitatingtradesbetweentwopartiesforwhomitisthecustodian.Thereisthus,goodreasontoassumethattradesbetweensuchpartiesaregovernedbyordinarycontractslaw.
Thetrend,however,istowardsdecentralizedmodelsforcrypto-currency exchanges.148Collapses of centralized exchanges have leftuserswithoutaccesstobalancesstoredontheexchange.149Central-izedexchangeshavealsosufferedforlackofliquidityacrossrareras-settypes,asexchangescompetefororderflow.150Theseflaws,com-bined with the blockchain community’s ideological opposition tocentralization,providedfertilegroundforthedevelopmentofdecen-tralizedexchanges,151orDEXes.
TokenStore,aDEX,didnotautomaticallymatch trades in theirorderbook.Rather,sellersofassetswouldpostanorderandbuyerswoulddigitallysign their intent tomatch theorder, forwarding thetransactiontotheDEX’son-chaincontract,whichprovidedfora0.3%paymentallottedtoTokenStore.ThisisacommonsetupforDEXsys-temstoday.152Theserviceprovidedinthisinstancecanbeviewedas
145. Seeid.(explainingtheideaofcentralization). 146. Notethesearenotledgersintheblockchainchainbutmerelytheexchange’sowninternalrecordkeepingmechanisms. 147. Cf.id.(notingthatacrucialdifferencebetweencentralizedanddecentralizedexchangesistheuseofintermediariesandcustodians). 148. Whiletradesondecentralizedexchangesarestillofcomparativelylowvol-ume,thebulkofnewexchangesareadoptingdecentralizedmodels. 149. Mt.Gox,notableforits2014collapse,handledasmuchas70%ofallBitcointransactionspriortoitsdemise.SeeJoshConstine,ThePlottoReviveMt.GoxandRepayVictims’Bitcoin,TECHCRUNCH(Feb.6,2019,8:00PM),https://techcrunch.com/2019/02/06/the-plot-to-revive-mt-gox-and-repay-victims-bitcoin[https://perma.cc/79JU-49KX]. 150. SeeNathanSexer,StateofDecentralizedExchanges,2018,CONSENSYSMEDIA(Jan.31,2018),https://media.consensys.net/state-of-decentralized-exchanges-2018-276dad340c79[https://perma.cc/94KS-AJLT]. 151. Despitetheallure,theterm“decentralizedexchange”waslongsomewhatofamisnomer,asearliergenerationsstillreliedonasinglecontractformarketmakingandsettlement. 152. AnexplanationofsimilararchitecturesandthecoststheyimposeisprovidedbyIddoBentov,LorenzBreidenbach,PhilDaian,AriJuels,YunqiLi&XueyuanZhao,TheCostofDecentralizationin0xandEtherDelta,HACKING,DISTRIBUTED(Aug.13,2017,
2020] TRANSACTIONALSCRIPTS 353
twoseparablecomponents:153alistingserviceforopenorders,andaplatform to automatically consummate signed trades. Each compo-nentismediatedbyadifferentpieceofsoftware.Theorderbookismaintainedbyacentralizeddatabase,andinteractionwithitisbyawebsiteanditsaccompanyinginterfaces,bothcontrolledbyToken-Store.
Theconsummationcomponentismanagedbyaminimaltransac-tionalscript.Toperformatrade,usersfirstplacecryptoassetsinthecustodyofthetransactionalscriptusingadepositfunction.Atraderwishingtomatchanorderthenusesthewebinterfacetogenerateasignedtransactionandsubmitsittothetrade()functioninthetrans-actionalscript.Thescriptperformsanumberofcheckstoensurethatthetradeisvalidandthenupdatesthebalancesofbothusers.
Inthecaseofourpoortrader,oncethetradewasenteredintotheorderbook, anycounterparty could force itsexecution.TokenStoreappearstolackeitherawhitepaperoranysubstantiveformalizationinnaturallanguageoftheirsystemarchitecture.Itswebsitecontainsno link to a terms and conditions, and even their medium blog issparelypopulatedwithonlyeightposts,withfullyhalfbeingmerelylaunchannouncements.
ThenaturallanguagecontentsurroundingTokenStoreislimitedtoahandfuloftweets,blogposts,commitmessages,andcodecom-ments,whichyieldonlymodestinsightintothepurportedoffering.Amediumpostentitled“Advantagesoftoken.storeETH—Summarized”toutsthesecurityoftheplatformclaiming“token.storedoesn’tholdany of your funds; the trader deposits his funds into a smart con-tract....Thismakes theexperiencesafeandsecureby itsveryna-ture”anddirectsuserstoalinkto“checkthecode.”154OnTwitter,theprojectbraggedthat“[f]undsat[http://]token.storeETHandEOSare
1:45PM),http://hackingdistributed.com/2017/08/13/cost-of-decent[https://perma.cc/U79S-XE86]. 153. ThisseparationisjustifiedbynotingthataDEXcouldbuildaplatformcom-patiblewitharival’ssignedtransactions,usingitsowncontracttoconsummatetrades.TokenStore itself appears to have added support for transactions originating from“0x,” anotherpopularDEX.TokenDev,Tokenstore/Contract,GITHUB(July24,2018),https://github.com/tokenstore/contract/pull/11[https://perma.cc/34HB-8YW6](announcinganexpansionallowinguserstotake0xorders). 154. HarryBirch,AdvantagesofToken.StoreETH—Summarized,MEDIUM(Aug.27,2018),https://medium.com/token-store/advantages-of-the-token-store-summarized-9164c4bab41[https://perma.cc/KF8F-HX8H].
354 MINNESOTALAWREVIEW [105:319
held insmartcontracts:onlyuserswhohold theprivatekey to thewalletwhichdepositedthemcanwithdrawthem.”155
Ofdirectrelevancetotradingerror,thecodecontrollingtradeex-ecutionisprecededbythefollowingcodecomment:
Note:Ordercreationhappensoff-chainbuttheordersaresignedbycreators,//wevalidatethecontentsandthecreatoraddressinthelogicbelow.156ThenotionthatTokenStore“validates”thecontentsofanorder
priortofulfillmentleavesopenthequestionofwhatvalidationanon-code-readinguseroughttoexpect.WereturntotheseissuesinSec-tionIII.
C. ORACLESIntheirdefaultsetting,transactionalscriptsareunabletointer-
actwitheventsoccurringordataoutsideoftheblockchain.Consideratransactionalscriptthatpaysashippersolongasthetemperaturewithintheshippingcontainerstaysbelowacertainthreshold.Whilethe logic is simple (if the temperatureneverwentaboveX,pay thecontractprice),thequandaryforthecoderishowtoensurethatthetransactionalscriptknowswhatthetemperatureinsidethecontaineris.Thisproblemissolvedusingan“oracle,”acomputerizedagentthatperiodicallysubmitstheneededexternaldatatotheblockchaintobeusedwithincontracts.157
155. token.store(@TokenDotStore),TWITTER(June22,2019,11:32AM),https://twitter.com/TokenDotStore/status/1142470315777363968[https://perma.cc/TY3W-G64V]. Of note, the script is upgradable via an opt-in process,meaning thatwhileTokenStorecurrentlyhasnowaytoaccessuserassets,afutureversionofthecontractcertainlycould.ThoughTokenStorehasdelistedanumberoftokensfromitsorder book and user interface, individuals who have delisted tokens stored in thetransactionalscriptcanstillaccessthembymanuallysubmittingawithdrawtransac-tion to the blockchain.See token.store (@TokenDotStore), TWITTER (Nov. 15, 2018,11:46AM),https://twitter.com/TokenDotStore/status/1063126115290615808[https://perma.cc/E4VK-DK4T]. 156. BlockExplorer forEthereumMainnet,ANYBLOCKANALYTICS,https://explorer.anyblock.tools/ethereum/ethereum/mainnet/address/0xE17dBB844Ba602E189889D941D1297184ce63664 [https://perma.cc/QB8N-QDJN] (last modified July 6,2020). 157. Incorporatingexternaldatadirectlyontothechainunderminestheconsensusmechanism,asitleavesnoprincipledwayfornetworkparticipantswithoutdirectac-cesstotheexternaldatatovalidateitscorrectness.SeeAlexanderEgberts,TheOracleProblem:AnAnalysisofHowBlockchainOraclesUnderminetheAdvantagesofDecen-tralizedLedgerSystems5(Dec.12,2017)(M.A.thesis,EBSUniversityofBusinessandLaw),https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3382343[https://perma.cc/JW5E-UHJP].
2020] TRANSACTIONALSCRIPTS 355
Anoraclenormallyconsistsoftwoparts:ascriptandawaytopopulatethescript’sdatastore.158ThefigurebelowexcerptsfromtheoracleforacurrencyexchangecalledSynthetix,showingaportionofthe function that incorporates updates to currency exchange ratesontothescript’sstorage.
158. Oraclescanexistinsoftwareorhardware,withthelatterpurportedlyofferingsome security guarantees stemming from the increased difficulty of compromisinghardware.
function internalUpdateRates(bytes4 []
currencyKeys , uint[] newRates , uint
timeSent) internal returns(bool) {
require(currencyKeys.length ==
newRates.length , "Currency key array
length must match rates array length.");
require(timeSent < (now +
ORACLE_FUTURE_LIMIT), "Time is too far
into the future");
// Loop through each key and perform update.
for (uint i = 0; i < currencyKeys.length;
i++) {
// Should not set any rate to zero ever ,
as no asset will ever be
// truely worthless and still valid. In
this scenario , we should
// delete the rate and remove it from
the system.
require(newRates[i] != 0, "Zero is not a
valid rate , please call delegateRate
instead.");
require(currencyKeys[i] != "sUSD", "Rate
of sUSD cannot be updated , it’s
always UNIT.");
// We should only update the rate if
it’s at least the same age as the
last rate we’ve got.
if (timeSent <
lastRateUpdateTimes[currencyKeys[i]])
{
continue;
}
newRates[i] =
rateOrInverted(currencyKeys[i],
newRates[i]);
// Ok , go ahead with the update.
rates[currencyKeys[i]] = newRates[i];
lastRateUpdateTimes[currencyKeys[i]] =
timeSent;
}
emit RatesUpdated(currencyKeys , newRates);
// Now update our XDR rate.
updateXDRRate(timeSent);
return true;
}
The function takesas input a set of
exchange rates andcurrency pairs, alongwith the current time
The function performsthe following processfor each currency pair:
1. Check if the last update wasfar enough in the past torequire a new update
2. Invert the rate if required
3. Update the script with thenew rate and reset the up-date timer
Figure4:OracleScriptfromSynthetix
356 MINNESOTALAWREVIEW [105:319
As shown above, to execute the update function, the programmustprovideasinputthedataitwishestoincorporate.Notably,witheachupdateagasfeemustbepaidtostorethenewdata.Oraclesarethusnotimmunefromthechallengesassociatedwiththecomplexitytax.
Thedatafromoraclesistypicallyprovidedbyathird-party.Thishighlights a significant trade-off: oracles require trust in the datasource(andfurtherinthesoundnessoftheoraclescript).159Forsome,the intermediationand trust reintroducedbyoracleshighlights the“oracle paradox”: the more relevant the oracle data, the less oneshouldbewillingtotrusttheprovider.160Thereareanumberofin-geniousprotocoldesignsthatachievetotweakthesetrade-offs.161
Butoraclesbreakdowndespitethebestintentionsofallinvolved.Forexample,onJune25,2019,oneofthecommercialdatafeedsfromwhichSythnetixreceivesitsUSD/KRW(KoreanWon)exchangerate“begantointermittentlyreportaprice1000xhigherthanthecurrentrate.”162Anearlieroutagehadtakenoneoftheothertwodatasourcesoffline, and the code to disregard outliers averaged the remainingfeedswasalsobuggy.Fora scriptoperatingamarket for syntheticcryptoassets,tiedtorealworldassets,amismatchbetweenthesyn-theticassetandtheunderlyingassetwastheworst-casescenario.
159. Federatedoraclesattempttotacklethistrustproblembydistributingit:theyrequirethatasmallnumberofpartiesindependentlyprovidethesameinformation.Thetransactionalscriptvalidatesthattheinformationitreceivedisconsistentacrosseachparties’submissionbeforeitpermitsthedatatobeused.Suchanapproachisnoguaranteethataseriesofbugswon’tcausetheoverallfailureofthesystem. 160. SeeJesusRodriguez,TheMiddlemanofTrust:TheOracleParadoxandFivePro-tocolsthatCanBringExternalDataintothe...,HACKERNOON(July31,2018),https://hackernoon.com/the-middleman-of-trust-the-oracle-paradox-and-five-protocols-that-can-bring-external-data-into-the-df39b63e92ae[https://perma.cc/N3SJ-FFJG]. 161. Decentralizedoracleprotocols(suchasChainlink)providenetworksofindi-vidualoraclesalongwithincentivestructuresthatpromotetrustinthenetwork.See,e.g.,WelcometoChainlink,CHAINLINKDEVS.,https://web.archive.org/web/20191228052855/https://docs.chain.link/docs/welcome-to-chainlink[https://perma.cc/6XZB-VB8S]. An alternative solution operated by Augur maintains a prediction marketwhichsyncstooff-chaineventsbymaintainingafeepoolpaidouttoparticipantsthatreportonthestateoftheoff-chainworld.SeeJackPeterson,JosephKrug,MicahZoltu,AustinWilliams&StephanieAlexander,Augur:ADecentralizedOracleandPredictionMarketPlatform(Feb.3,2018)(unpublishedmanuscript),ARXIV:1501.01042.Amus-ingly,aparticipantcandisruptthemarketbyplacingaself-referentialbetonAuguritself. 162. Synthetix Response to Oracle Incident, SYNTHETIX (June 25, 2019), https://blog.synthetix.io/response-to-oracle-incident[https://perma.cc/KEQ9-CKTP].
2020] TRANSACTIONALSCRIPTS 357
Abotwasabletodetectthemismatchedexchangerateandtookadvantageofthearbitrageopportunity,acquiringtokenswithamar-ket value of $1bwith amere $1000 investment.163Fortunately forSynthetix, the bot owner reversed the trades in return for a bugbountypayout.ThechainindicatesthereversalwasachievedthroughasubsequenttradeatanexchangeratebetweenansETH(tokenizedETH)andsKRW(tokenizedKRW)manyordersofmagnitudebelowthe actual rate. 164 This suggests cooperation between Synthetix(whichwouldhavebeenabletomanuallyadjusttheexchangerate)andthebotownerwhowillinglyconvertedtheirsETHbelowmarketrate.Whiletheon-chaintransactionssuggestthatthebotownerlosttheirinvestment(alongwiththeirprofits)inthereversetransaction,thiswaslikelyremediatedthroughasidepayout.
WepreviouslyshowedascriptbywhichSynthetixincorporatedvarious exchange rates. Aswith our previous examples, that scriptwasaccompaniedbynaturallanguagetext,whichprovidedtheoppor-tunityforgapsbetweenintentionandoutcome.Thetopofthefilein-cludedthefollowingdescriptionofitsfunction:
[Thisisa]contractthatanyothercontractintheSynthetixsystemcanqueryforthecurrentmarketvalueofvariousassets,includingcryptoassetsaswellasvariousfiatassets.Thiscontractassumesthatrateupdateswillcompletelyupdateallratestotheircurrentvalues.Ifarateshockhappensonasingleasset,theoraclewillstillpushupdatedratesforallotherassets.165Alongside extensive code commentary, Synthetixmakes repre-
sentationsastothe functionalityof itsplatformintheREADMEac-companying the code, in thehelp sectionof itswebpage, and in itsmarketingmaterials.166Noneofthosecommentarydocumentsrefer-encesthepossibilityofanerroratthedatasource.TheREADMEfile,
163. ForinformationontheexchangeofETHusedtotakeadvantageofthearbi-trage opportunity, see Transaction Details, ETHERSCAN (June 17, 2019, 9:04 AM),https://etherscan.io/tx/0x6f6ee43ee07013503df786532493a3c405465f91e3ce8bb4ba8717a715db1caa[https://perma.cc/3B39-V7X3]. 164. Thiswasdeducedbyfollowingthechainoftransactionswithanexchangeof37msETHfor362sKRW.TransactionDetails,ETHERSCAN (June25,2019,2:54AM),https://etherscan.io/tx/0xc3fc19c63e1090eb624212bad71a27cd3dc7afcd0cf9063d24bfc47b5d036ae2[https://perma.cc/R52W-HKZF]. 165. Contract,ETHERSCAN,https://etherscan.io/address/0x70c629875dadbe702489a5e1e3baae60e38924fa#code[https://perma.cc/VX3Y-56FR]. 166. Thewebpagedoesincludealinktotermsandconditions,buttheygovernuseofthewebsiteratherthantheblockchainplatform.TermsofUse,SYNTHETIX,https://www.synthetix.io/terms-of-use [https://perma.cc/8GCH-9BAK] (“By accessing thewebsiteathttp://synthetix.io,youareagreeingtobeboundbytheseterms....InnoeventshallSynthetix...beliableforanydamages...arisingoutoftheuseorinabilitytousethematerialsonSynthetix’swebsite....”).
358 MINNESOTALAWREVIEW [105:319
however,notesthatthefeesaregovernedbyanexchangeratethatis“derivedbylookingatabasketaggregateofcurrencies,”thattherateswillbenotbe“stale”andthattheoraclewillbe“trusted.”167AndtheMITLicensefortheSynthetixsoftware,whichisprovidedasafileonitsGithubpage,statesthatthesoftwareisprovided“ASIS.”168HowtocompilethesevariousstatementsisthesubjectofournextSection.
III.SCRIPTSANDSTACKSAsweexploredabove,itsimplyisnotpracticaltocreatescripts
thatperfectlyembodytheircoders’intent.Thepointisgenerallytrueforallcodedexchange.A2019decisionissuedbytheSingaporeInter-nationalCommercialCourt, applying the common lawof Singapore(itself derived fromEnglish common law), offers a uniquewindowintohowjuristsmightresolvethecontractualconsequencesofcodegoneawry.169
Thecaseinvolvedalopsidedtradeofcryptocurrency.Quoineop-eratedacentralizedcurrencyexchangeplatformthatprimarilyena-bledtradingofcryptocurrencies.170B2C2wasan“electronicmarketmarker,”whichhaddevelopedatradingalgorithmwrittenbyitspres-ident several years before the events of the case.171In April 2017,Quoine,asitalwaysdid,hadaprograminplacetomonitoruserswhohadborrowedcollateralwithwhichtotrade.172WhenQuoine’spro-gramidentifiedanimbalanceinthereserves,itforcedthesaleofcol-lateralizedassetsatthebestavailableprice.173
Unfortunately,theprogramthatQuoinehadwrittentoensurealiquidmarkettemporarilyfailed.174Theresultwasitspriceswereoutofsyncwiththeglobalmarket.175 B2C2,whosegoalwastocapturere-turnsfromthebid-askspread,176offeredtofillsevenparticularorders
167. Oikos Contracts, GITHUB, https://github.com/oikos-cash/oikos#oikos-tron-contracts[https://perma.cc/9CME-PC2E](lastmodifiedAug.11,2020). 168. MIT License, GITHUB (Nov. 29, 2018), https://github.com/Synthetixio/synthetix/blob/8f3b95d1205f2b4d6b62124bd07f593773800743/LICENSE[https://perma.cc/Q2PX-46T7]. 169. B2C2Ltd.v.QuoinePte.Ltd.[2019]SGHC(I)03. 170. Id.at1. 171. Id. 172. Id.at12. 173. Id. 174. Id. 175. Id. 176. Id.at5.
2020] TRANSACTIONALSCRIPTS 359
atapricearound250timesthatavailableonthebroadermarket,mak-ingitaquickprofitofseveralmilliondollars.177
Thenext day,Quoine reversed the trades in its order book.178B2C2sued,arguingthatthereversalviolatedQuoine’stermsandcon-ditions,whichprovidedthat“onceanorderisfilled,youarenotifiedviathePlatformandsuchanactionisirreversible.”179
QuoineofferedtwoprincipaldefensestoitssupposedobligationtocompletethetradeswithB2C2.180
First, itpointedoutthatitsriskdisclosurestatement,uploadedpriortothetradebutnotexpresslyincorporatedintothetermsandconditions, permitted a reversal of trades if “market circumstancesshiftdramaticallyorsomethingelsehappens.”181Thecourtheldthatbecausethestatementwasnotexpresslyincorporatedintothecon-tract(that is, intothetermsandconditions), itdidnotoverridetheexpress language of the contract itself.182This decision seems per-fectlysensibleonitsface—anapplicationoftheusualideathatanin-tegrated agreement ought not be contradicted by extrinsic state-ments.183
Second,andmoreinterestingly,thecourtconsideredwhetherthefactsestablishedamistake,allegedlybecause thepartieswouldnotthemselves have executed the trade in a hypotheticalworldwherethey talked about it in person in real time.184 That is, the parties’agents—theprograms—hadexecutedadealwhich,thoughanaccu-rateexpressionofthecode’sinstructions,somehowfailedtocapturetheir “real intent.”185As Quoine argued, the platformswere “reallycomplexplatforms,”inwhich“alotofthings[could]gowrong.”186Themistakeinquestionwasnotatypographicalerrorinthecode,butra-theran“oversight in thedesignof thesystem.”187Quoineaskedthe
177. Id.at12. 178. Id. 179. Id.at55. 180. Id.at58. 181. Id.at64. 182. Id.at73. 183. Forthispoint,thetribunalcitedaBritishtreatiseandsupportingSingaporeanauthorities,buttheresultwouldbenodifferentinmostU.S.jurisdictions.Seeid.at69;infratextaccompanyingnotes271–72. 184. B2C2Ltd.[2019]SGHC(I)03,at75. 185. See generally 1 TIMOTHYMURRAY,CORBIN ONCONTRACTS:FORMATION OFCON-TRACTS§4.11(rev.ed.2020)(describingoldcasesontelegraphsandmistakesintrans-missionofmessages). 186. B2C2Ltd.[2019]SGHC(I)03,at30. 187. Id.
360 MINNESOTALAWREVIEW [105:319
courttoapplya“pragmaticandjudiciousstance”andvoida“clearlyerroneoustrade.”188
Thetribunal,adoptinganarrowerreadingofunilateralmistakederivedfromBritishcommonlaw,heldthattoavoidliability,theper-sonwhowasnotmistakenmusthaveactuallyknownofhercounter-party’serrorand“wasshuttinghermindtotheobvious.”189Indecid-ingwhetherB2C2had that requisite stateofmind, thecourtnotedconceptualdifficulties:
[A]pplyingthelawto...algorithmictrading...raise[s]newquestions.Whatmistakeshavebeenmadeandtowhatextentaretheyfundamental?Howdoesoneassessknowledgeor intentionwhenthewholeoperationiscarriedoutbycomputersactingasprogrammed?Whoseknowledgeisrele-vant?Atwhatdateisthisknowledgetobeassessed?190Giventhattheprogramexecutedafixedtrade—i.e.,thedesignof
thecodebespoketheprogrammer’sintentiontostripitofanydiscre-tion—thecourtanalogizedtheprogramtoa“meremachinecarryingoutactionswhich inanotheragewouldhavebeencarriedoutbyasuitablytrainedhuman.[Itis]nodifferent[from]...akitchenblenderrelievingacookofthemanualactofmixingingredients.”191
Thecourtthusheldthatforthepurposesofascertainingmistake,itwouldfocusontheintentof“thepersononwhosebehalfthecom-puter placed the order in question [B2C2].” 192 This, the court ex-plained,requiredexaminingthe“stateofmindoftheprogrammerofthesoftwareofthatprogramatthetimetherelevantpartofthepro-gramwaswritten.”193Assessingtherelevantevidence,thecourtde-cidedthattheprogrammerhadnotinsertedcodeintendingtotradeatlopsidedratesorknowingthatdoingsocouldonlyresultfromthecounterparties’error.194Thus,itrejectedtheclaimofmistake.195
Quoineisnotacaseaboutatransactionalscriptgonewrong.Butitdoesofferafewglimpsesintothefutureofhowscriptedexchangeswillberesolved,oratleastonepossibleapproachtosuchproblems.
188. Id.at79. 189. Id.at80;cf.RESTATEMENT(SECOND)OFCONTS.§153(AM.L.INST.1981)(requir-ingthenon-mistakenpartytohave“hadreasontoknowofthemistake”). 190. B2C2Ltd.[2019]SGHC(I)03,at86. 191. Id.at89. 192. Id.at87–88. 193. Id.at89–90. 194. Id.at99. 195. Id.In2020,theSingaporeSupremeCourtaffirmedthejudgmentinanopinionthatwasequallylengthybutbrokenonewconceptualground.QuoinePte.Ltd.v.B2C2Ltd. [2020] SGCA (I) 02, https://www.supremecourt.gov.sg/docs/default-source/module-document/judgement/-2020-sgca(i)-02-(v-4)-pdf[https://perma.cc/7LF2-HY2V].
2020] TRANSACTIONALSCRIPTS 361
Thefirstistheimportanceoftherolethatold-fashionedcontractlaw—andold-fashionedcontracts—willplayinthedispositionoftheparties’ legal rights.TheQuoine tribunalprivileged thenatural lan-guagecontractembodiedinthetermsandconditionsoverthecode.Though it ultimately declared that the risk disclosures outside thetermsandconditionswerenotbinding,itapparentlywouldhaveen-forcedthosedisclosures,hadtheybeenincorporated,oversoftwarecode that enabled the trade. Itwas only in the absence of contracttermsgoverningthedealthatthecourtturnedtowhatthecodeper-mitted,andwhy.Thus,thecodedrulesofexchangewere,inthecourt’sview,largelyirrelevant.
Secondandrelatedly,theQuoinecourt’sfocusontheintentoftheprogrammerisanaturaloutgrowthofcontractcaselaw.Interestingly,Quoine focused on intent at the time of the original programming.KnowingwhatB2C2intendedrequiredthecourtonlytotakethetes-timonyofonecoder,andtoapplythenormaljudicialtools(assessingdemeanor, consistencywithprior statements and thedocumentaryrecord)todeterminethe“truth”ofthecoder’sintent.196Suchasimplestoryisunlikelytoreplicatewhenweinterrogatemorecomplexcod-ingproblems.
WethinktheQuoinedecisionoffersaroughguidetothesortsofproblemsthattransactionalscriptswillraise,andasenseofhowcom-monlawcourtswillbemotivatedtoresolvethem.Indeed,wethinkthetribunalgotitmostlyrightincontext,butthatitsreasonswon’tscale.Givenwhatwe’velearnedaboutthetechnologicalenvironmentgeneratingscripts,wemaketwobasicargumentsabouthowthelawoughttoconsiderproblemsrelatedtoscripting.
First, judgesshouldnotprivilege“contract”over“code”butra-ther ought to ascertain and harmonize meaning across a contractstack.Code—whenreadwithitsnaturallanguagecommentsandcom-mitlogs—hascommunicativemeaningthatcourtsshouldseektoas-certainandenforce.Second,conditionalonintegratingthestack,thesearchformeaningshouldfocusonexpressionsthatbestreflectthebestpublic-facingaccountoftheparties’sharedintentatthetimethattheycommittedtothedeal.Weworkthroughtheseprinciplesbysug-gestingalistofcanonsofscriptedlaw.
196. B2C2Ltd.[2019]SGHC(I)03,at89–90.
362 MINNESOTALAWREVIEW [105:319
A. THECANONICALSTACKAsJasonAllenhasrecentlyargued,transactionalscriptsarethe
latest in a series of “‘contractware’, i.e., technological artefacts de-signedtoembodyandperformcontracts.”197Achip inacreditcardembodiestheconceptwell.Thereisanaturallanguagecreditagree-mentbetweenyouandyourcardcompany,updatedandmodifiedattheissuers’willagainstthebackgroundofregulation,whichdefinethecircumstancesunderwhichcreditmaybeextended.Thosetermspar-allelonesagreedtobetweentheissuer(oritsagents)andmerchants,whichenableyourcard(theartifactresultingfromyournaturallan-guageagreements)toeffectuateapendingsalebyinsertionintothemerchant’sreader.That is, thecard/readerperformscontractsthathoverintheairaroundthem.
Allcontractwarehasthisproperty:itiswrappedwithinanordi-nary,legalcontract.Absentalegitimateconnectiontothosecontracts,useofacredit cardcanstillaffect theworld—youraccountwillbedebited,themerchant’scredited—butsuchchangescanbequicklyre-versed.Ofcourse,notallcontractwarerequiresphysicalmanifesta-tions.Allenarguesthattransactionalscriptsareanexampleofcon-tractwareinwhich“thesubjectmatterofthecontractisanimmaterialobjectwhichcanbemanipulateddirectlybythe[code].”198
Allenconcludesthattransactionalscriptsarelayersinthe“con-tractstack.”199Thestackisausefulmetaphortodescribethevariouselementsof“contractasacomplexentity.”200Astackmightinclude,perhaps,anoralcontract(orotherindiciaofsocialagreement),awrit-tentext,andthelegalrules,whichgiveeffecttotherelationshipbe-tweenthetwo.Inatransactionalscript,the“writtentext,”i.e.naturallanguagetermslikethestatementoftermsandconditionsinQuoine,is“complemented(orsupplanted)bycodewhichisalso,incidentally,wholly or partially executable by a machine.” 201 Each additionalstep—thecompilingofmachine-readablecodefromhumanreadablecode—addsanotherlayerofcomplexitytothestack,butthestackisintendedtooperate,andthereforeoughttoberead,asawhole.202
Manyworkinginthisspaceacknowledgethatcontractstackswillbe themechanism throughwhich commercial projects will deliver
197. Allen,supranote33,at313. 198. Id.at318. 199. Id.at330. 200. Id. 201. Id. 202. Id.at331.
2020] TRANSACTIONALSCRIPTS 363
scriptedperformance.203This is theapparent impetus, forexample,for the InternationalSwapsandDerivativeAssociation’sattempt toinsertexplicitreferencestoscripts,whichoperationalizeinterestpay-mentsintotheISDAmastercontract.204Butothersophisticatedpro-jects,liketheOpenLawcooperative,areexplicitlydevelopingstackeddeals.205
But we’d go further. All litigated scripts will exist in contractstacks.That’snottosaythattherewillalwaysbea100-pagemasteragreement,orevenclicked-throughtermsandconditionsofsale.Ra-ther, our claim is that there will always be some non-code state-ments—rangingfromthehighlyformalizedtermsandconditions,tolessformalizedwhitepapersandcodecommentary,toquiteinformalpromises(Twitter)—whichwill informtribunals’understandingsofwhatthepartiesintendedtoexchange.
This is truebothasamatterofpractice, andamatterof logic.Codeisnotself-descriptive.Anyscriptsthathavepracticalrelevancewillhavesomenon-codelanguagesurroundingthem.Anysetofcom-municationsrelevanttotheexchangethatarevisibletothepartiesareat least presumptively a part of the stack. (Whether they all countequallyisaharderquestion.)
Thus,althoughsomeintheliteraturehaveaskedifa“smartcon-tract”isreallyacontract,standingalone,wedoubtthepracticalrele-vanceofthatquestion.Thecodestandingalonemaynotfullyspecifyanexecutorycontract,unilateralorotherwise,becauseitsimplyac-complishesperformance.But,unlike the cheese, at least at themo-ment, thecodeneverstandsalone.Asourexamples inPart II illus-trate,itistypicallydeployedinasocialcontext.
Thoughthestackisarelativelyrecentterm,theideathattrans-actionsareaccompaniedbymanysortsofpotentiallylegally-opera-tivepromisesisnot.Youbuyacar,ledtothedealershipbyacommer-cial, and see a price at the entrance to the lot. The dealer makesrepresentationstoyou.Youreplywithyourownadmissions.Finally,yousignawrittenagreement,whichoftenseekstoexcludetheprior
203. See,e.g.,DEFILIPPI&WRIGHT,supranote33,at77(arguingthat“hybrid”con-tracts will be useful especially when particular components cannot be reduced tocode). 204. INT’LSWAPS&DERIVATIVESASS’N,LEGALGUIDELINESFORSMARTDERIVATIVESCON-TRACTS:THEISDAMASTERAGREEMEENT7(2019),https://www.isda.org/2019/02/19/legal-guidelines-for-smart-derivatives-contracts-the-isda-master-agreement[https://perma.cc/HSN4-2A54]. 205. SeeGeneralQuestions,OPENLAW,https://app.openlaw.io/faq#first_draft_au-tomate [https://perma.cc/KZ43-6LMC] (“OnOpenLaw, you can execute smart con-tractcodebyembeddingasmartcontractcallinanytemplate.”).
364 MINNESOTALAWREVIEW [105:319
representationsasoutsideoftheoperativedeal.Thewholeexchangeis a contract stack. Someof it is legally operative, and some isnot.Whenyoubuyacupofcoffeeat thestoreafterseeingasignat thedoor,theprocessisthesame—thoughifyouuseanapptofulfillthepurchase,someofthecodethataccomplishespaymentisobscuretoyouandis,perhaps,notpartofthecontract.Thepoint isthatwhatcounts as the “contract” results from themultifarious set of policychoices thatwecall contractdoctrine. Sometimes that constructionmapsontoasingle,written,document,butoftendoesnot.
Wethussuggestourfirstcanon—amaxim—tohelpcourtsmakesenseoftheadjudicationofdisputesarisingfromscriptedexchange.Likealloftherulesthatwesuggest,itbuildsonexistingcaselaw.Itisalsoadefault:thepartiescan(andasweexplorebelow)havechangeditbycontract.
Inworkingthroughthiscanon,anexamplemayhelp.Considera
tokenwhitepapermakesapromiseaboutgovernancerights,butthescriptcontainsnoreferencetothatpromise.206Thatwasthenorminthe2017ICOcraze.207Inpreviouswork,weconductedanexhaustiveauditofthematchbetweensemanticdisclosures(includingthoseinWhitePapers,Twitter,Instagram,Reddit,andMedium)andscriptedcodeintokens.Wefoundthatmostprogramshadnot,infact,createdcode thatconformedto theirpromises.208“Forover20%of ICOs inour sample where promoters promised cryptoasset supply re-strictions,and35%ofpromisedtokenburning,wecouldnotobservecorresponding restrictions [written into transactional scripts].” 209Worse,wedidnotfindcode-basedvestingrestrictionsintwenty-fiveofthethirty-sixICOswherepromoterspromisedtoadheretosuchre-strictions.210Finally,oftwelveICOsforwhichourauditrevealedthata central party could modify the functionality of the cryptoasset’scode,onlyfourdisclosedthatabilityintheirpromotionalmaterials.211
206. Cf.Cohneyetal.,supranote2,at640–44(discussingmarketsolutionstomiss-ingdisclosures). 207. Id.at640. 208. Id.at639. 209. Id.at640. 210. Id. 211. Id.at639–40.
Canon1:Allsharedcommunicationsofintent,includingthecode,comprisethelegally-operativestack.
2020] TRANSACTIONALSCRIPTS 365
Totheextentthatanactionforalegalbreachofsuchacontractstackisbrought,howdoweknowwhatwaspromised?Somemightarguethattheonlylegallyoperativepromisesarethosemadeinnat-ural languagedocumentsoutsideof the code; others, that the codeprovidestheonlyrelevantsetofrules.212Inaway,thisisquitesimilartothestartofaconventionalparolevidenceproblemwheremultipledocumentsarecandidatesforinclusionasthelitigated“contract.”213Whentheboundsofcontractarefuzzy—thatis,intheabsenceofin-tegration—thestackofcontractwareiscapaciouslyconstructed.Thisproblemiswellillustratedbytheconventional2-207problem,wherethepartieshaveexchangednon-matchingformsandthecourtmustcompilea“contract”expost.214
Courts appropriately compile into the stack those promissorystatements,whichseemtoindicatetransactionalintent.Thus,termsandconditions,becausetheyclearlyindicatetheparties’intenttocon-tract,arealmostcertainlypartofthestack.Sotooaremostpublishedwhitepapers,whichmakenumerouspromisesaboutwhat’stobede-livered, even though in some ways they are offers directed to theworld.Thereasonisobvious:whitepapersarethebestevidenceofwhatthecodesupplierintendstocreate,andthewaythatcounter-
212. Somehavearguedthattheparolevidencerulewouldmakeitdifficult“forthepartiestoprovetheir intenttocontractbypointingtoothercircumstances,suchasprior dealings or negotiations.” AnnaDuke,WhatDoes the CISGHave to Say AboutSmartContracts:ALegalAnalysis,20CHI.J.INT’LL.141,159(2019).Thisisextremelypuzzling,astheruleitselfonlyappliestofullyintegratedagreements.Otherssuggestthatwhenthepartieshave“signedandverifiedthatthecontracthadbeenaccuratelytranslatedintocomputercode,” itwillbedifficult forthemto laterarguethattherewereadditionalterms.AlanCohn,TravisWest&ChelseaParker,SmartAfterAll:Block-chain,SmartContracts,ParametricInsurance,andSmartEnergyGrids,1GEO.L.TECH.REV.273,281(2017).Thistooisconfusing,sincethetypicalwaythatpartieswouldverifythatthecontractiscorrectwouldbetoagreetothatstipulationinanaturallan-guageagreement. 213. SeeGregoryKlass,ParolEvidenceRulesandtheMechanicsofChoice,20THEO-RETICALINQUIRIESL.457,464(2019)(“[A]writingisintegratedifandonlyifthepartiestogetherintendedthatitwouldserveasafinalstatementofsomeoralltermsoftheiragreement.”). 214. SeeJohnD.Wladis,TheContractFormationSectionsoftheProposedRevisionstoU.C.C.Article2,54SMUL.REV.997,1011(2001)(“[T]heexchangeofnon-matchingrecordsrarelyinvolvesparolevidenceissuesbecausethereisusuallynoonerecordthatisafinalexpressionoftheparties’agreement.”).
366 MINNESOTALAWREVIEW [105:319
parties are enticed to invest, contribute funds, or otherwise trans-act.215Itmightbe(aswewillexplore)thattermsandconditionspro-videbetterevidenceof intent thandowhitepapers,whenbotharepresent,butasastartingpoint,thewhitepaperoughttobeconsid-eredaspartoftheset.
Moretransientpromises,likethosemadeonsocialmediaposts,onReddit,orviavideo,arealsoplausiblecandidatesforthestack.Ju-ristswillaskiftheymakepromisessufficientlydefiniteandcertaintoenable a fact finder to generate thegrist forobligation.216Thiswillturnonthenatureofthepromisesmade.217DoesapostonRedditstat-ingthepreciseamountofacappedsupplycount?218Wethinkso.Butonethatstatesthat“peoplewillhaveanextendedperiodduringwhichtheycanburn”withoutmoredetailseemstobetoovaguetogenerateobligation.219
Thehardestproblem is the contractual statusof the script, in-cludingitscommentary.It’shornbooklawthatthepartiescanuseci-phers toexpress themselves,and thatcourtsought toenforcesuchcodedmeanings“howeverwemaymarvelatthecaprice.”220Indecid-ingwhethertogiveeffecttoprivatemeanings,courtstraditionallyen-gageinahypotheticalinquiry:ifthepartieshadbeenqueriedatthemomentofcontractingaboutthemeaningofaparticularterm,whatwouldtheyhavejointlysaid?Courtswillthusself-consciouslyadopt
215. SeeMURRAY,supranote185,§2.12[1](describinga“webpagewhosecontrac-tualnatureisnotobvious”asonewherecourtswillaskif“therecipientactuallyknowsorhasreasontoknowofit[when]sheassentstoit”). 216. Seeid.§1.11(defininganofferas“anactwherebyonepersongivestoanotherthelegalpowerofcreatingtherelationcalledcontract”). 217. ForexamplesofthesortsofmarketingpromisesmadeinICOdisclosures,seeShaanan Cohney, DavidHoffman, Jeremy Sklaroff &DavidWishnick,Coin-OperatedCapitalism Appendix C, COLUM.L.REV., https://columbialawreview.org/content/coin-operated-capitalism-appendix-c[https://perma.cc/QGE7-H7AF]. 218. See,e.g.,u/helloicon,ICONTechnicalQ&ASummary,REDDIT(Sept.18,2017,1:06 AM), https://www.reddit.com/r/helloicon/comments/70t56h/icon_technical_qa_summary[https://perma.cc/5XJZ-APCB](answeringquestionsregardingthetech-nicalitiesrelatedtoICON). 219. See aetrnty,BurningToken, REDDIT(Sept. 10, 2017, 1:42PM), http://www.reddit.com/r/Aeternity/comments/6za07b/burning_token[https://perma.cc/K3QQ-PJBL]. 220. 5MARGARETN.KNIFFIN,CORBINONCONTRACTS: INTERPRETATIONOFCONTRACTS§24.9(JosephM.Perilloed.,rev.ed.1998);see,e.g.,Hurstv.W.J.Lake&Co.,16P.2d627, 629 (Or. 1932) (holding the term “minimum 50%” to encompass “as low as49.5%”);Smithv.Wilson(1832)110Eng.Rep.266,266;3B.&Ad.728,728(holdingthat“parolevidencewasadmissibletosh[ow]that...thewordthousand,asappliedto[thecontract],denotedtwelvehundred”).
2020] TRANSACTIONALSCRIPTS 367
the parties’ expressed “vernacular.” 221 Unilateral and uncommuni-catedmeaningbearaslittleontheproblemofcontractualinterpreta-tionasthepublicmeaningsthatthepartiesmeanttocastaside.222
Atraditionalrequirementaboutnon-traditionalcommunicationsisthatthepartyagainstwhomtheywouldoperatereasonablyunder-standsthemtobecontractualinnature.223Contextmatters:themoreimpermanentthemedium,thelessobviousitshouldbethatabargainresultsfromtheposting.224Thisiswhy,inanoldcase,acourtfoundthatthelanguageonthebackofcoatcheckticketswasunenforceable:such scraps “didnot arise to thedignityof a contract.”225Promisesmadeintermsandconditionsfeellikecontracts(moreorless),whilethosemadeonTwittermaynot.226
But how about the code? The primary objection to includingscriptsaspresumptivesourceofcontractualintentisthatcodedoes,itmakes no promises to do. True, those in the know can learn thecoder’ssophisticationfromherscript’seleganceandeconomy,justasconnoisseursoffontwillmakeinferencesbasedonthisArticle’stype-setting.Butthat’snotthesameasthesortofpromissorycommunica-tionthatnormallygeneratesobligation.Moreover,becausethecodeisinherentlybuggy—aswehaveexplored—includingitintothestacknecessarilymeans that courts are adopting ambiguous evidence ofwhattheparties“really”meantoaccomplish.
Ofcourse,naturallanguageisbuggytoo,ascenturiesofexperi-enceswithcontractinterpretationproblemsmakeclear.Andthecodeisfestoonedwithnaturallanguagecommentsandcommitlogs,whichdo,implicitlyorexplicitly,statewhatthecodersaretryingtoaccom-plish.Mostimportantly,inlightofthesocialconventionsofthescript-
221. KNIFFIN,supranote220,§24.13. 222. Id.§24.6. 223. MURRAY, supra note 185, § 2.12[1] (discussing non-contractual documentsthatarenotenforcedforlackofinquirynotice). 224. Insomecontexts,statementsdirectedatthewholeworldwillbedeemedtobeadvertisements.Id.§2.4.Butsincewhitepapersandthelikearen’tconsideredintheabstracthere,butratherwhenaccompanyingthescriptswhichputthemintoef-fect,thebetteranalogyisthesupermarketcirculardistributedatthegroceryitself.Id.§2.7. 225. Healyv.N.Y.Cent.&HudsonRiverR.R.Co.,153A.D.516,519–20(N.Y.App.Div.1912). 226. SeeBerksonv.GogoL.L.C.,97F.Supp.3d359,382(2015)(arguingthatelec-tronic contracts “require clearer notice than do traditional retail”). But cf. KristenChiger,WhenTweetsGetReal:ApplyingTraditionalContractLawTheoriestotheWorldofSocialMedia,3ARIZ.STATEU.SPORTS&ENT.L.J.1,6(2013)(findingthattweetscancreatecontractualobligation).
368 MINNESOTALAWREVIEW [105:319
ingindustrytoday,itisreasonabletoconcludethatparticipantsbe-lieve that the code-and-comments create obligations, i.e., that thescriptiscontractualinnature.Theveryterm“smartcontracts”justi-fiesthisconclusion.Therhetoricofexchangingincontractingshouldbeconstitutive.
This conclusion is strengthened in light of our focus onpublicblockchains, where all of the relevant parties have access to thescripted rules, can inspect them, and can read the associated codecommentary.Bydefinition,wehaveexaminedscriptsthatareopentobilateralinspection.Itwouldbeasifwewereconsideringacontractabouttheimportationofchickenfromabroad,betweenpartiesfromdifferent countries, that expressly incorporated a foreign languagedictionary,andthendeniedthatdictionary’srelevanceinunderstand-ingtheparties’meaning.Courseofperformanceistypicallyseenasastrongsignalofmeaning:thescriptisyetaclearersignal.Itistheex-pressed performance itself, fixed contemporaneously with agree-ment.(Ifthecodewerenotpublic,aswe’lldiscussbelow,itsrelevancetodiscerningtheparties’agreementwouldbemoreobscure.)
Incentivesprovideafinalreasontoincludecodeinthestack.Iflawyersareonnoticethatthecodehaslegalrelevance,thatitcancre-ateordestroyobligation,orhelpjuriststointerpretthem,theywillbegintopayattention.Thescriptingindustryatthemomentiscov-eredbyfewspecificrules,becauseofuncertaintyaboutthenatureofthe underlying asset type. Private regulation through lawyering—havinglawyersworktounderstandexactlywhatthescriptsaysandinquirehowitmightgowrong—isawaytohelptocivilizethiswildwest.Thatis,bringingthescriptintothecontractstackwillmotivatelawyers tocareaboutcoding,andcoders, andconsequently reducethelikelihoodofpromissoryfraud.227
B. TENSIONSWITHINTHESTACKWhat happens if there are differences in what’s promised be-
tweenelementsofthestack?Allenarguedthatquestionsofintentareparticularlydifficultwheninterpretingcode,astheformallanguagemighthavemeta-logics—internalandintentionallychosengoals(like,forexample,compactness).228Hethus,suggeststhatcourtsmayneedtomodifytraditionalcanonsofinterpretationtothinkabouthowtobestcapturetheparties’meaningwhenworkingthroughlayersofa
227. Somemayworry that lawyerswill seek tocleancodeof commentaryalto-gethertoreduceinterpretativeoverhang.Butitwillbeextremelydifficult,ifnotim-possible,todosowithoutleavinginculpatoryevidentiarytraces. 228. Allen,supranote33,at341.
2020] TRANSACTIONALSCRIPTS 369
stack.229Hegivesnofurtherdetails,andthisnextpartelaboratesontheproblem.
Courtswilloftensaythatinterpretationoughttomakesenseofthe“contractasawhole,”thatis,“theentiredeed,andnotmerelyupondisjointedpartsofit.”230That’sparticularlytruewhenthepartiesex-press their agreements in multiple documents. 231 In determiningmeaningwhen there is ambiguity, extrinsic evidence—that is, any-thingother than the contract itself—is commonly admitted.232Thisleadsusnaturallytoacanonseekingharmonization.
WestartbyreturningtotheICOexample.Atleastuntilrecently,
itwascommonforwhitepaperstomakepromisesaboutgovernanceinICO“smartcontracts,”butneglecttowriteactualscriptscontainingsuchcodedrules.233Inourview,thestackasawholeoughttobereadtobemakingapromise:theabsenceofprotectioninthecodeshouldnotbedispositive.If,forexample,theprojects’foundersweretotakeassetsinviolationofatextualvestingpromise,anactionoughttolieforbreach.That’strueeventhoughaninformedreaderwithanun-derstandingofSoliditywouldhavereadilyobservedthatthetokenscontainednopromises.(Most,infact,wereessentiallytheunmodifiedERC-20code.)Thepointisthatalegallyinformedreadercouldbelievethosepromisestobeenforceablebasedonthewhitepaperalone,andtheirrepetitionwithinthescriptunnecessary.
Conversely,when thenatural languagedisclosuressaynothingabouttheabilitytomodifyrightsdescribedashavingbeencreatedin
229. Id. 230. KNIFFIN,supranote220,§24.21(quotingBlackstone). 231. SeeRESTATEMENT(SECOND)OFCONTS.§202(2)(AM.L.INST.1981)(“[A]llwrit-ingsthatarepartofthesametransactionareinterpretedtogether.”). 232. NotethatNewYorkcourts,likemanyothersinamodernformalisttrend,takeadifferentapproach.See,e.g.,GilbaneBldg.Co./TDXConstr.Corp.v.St.PaulFire&MarineIns.Co.,97N.E.3d711,714(N.Y.2018)(holdingthatextrinsicevidenceregard-ingintentshouldbeadmittedonlywhentheparties’agreementisunclear). 233. Forexample,theMonacoprojectpromisedthatitssupplywouldbecappedinatransactionalscript:“TheMCOsmartcontractwillstopacceptingcommitmentsat888,888ETH hard cap.” MONACO, MONACOWHITEPAPER 8 (2018), https://whitepa-perdatabase.com/wp-content/uploads/2018/03Monaco-MCO-Whitepaper.pdf[https://perma.cc/7GKB-9D2D]. But our audit disclosed no such scripted commit-ment.SeeCohneyetal.,supranote2,app.B.
Canon 2: Where Possible, Interpret the Stack to HarmonizeMeaning.
370 MINNESOTALAWREVIEW [105:319
atoken,butthescriptappearstopermitmodification,wemightcon-clude that the contract stack permits unilateral changes. 234 In thesearchtounderstandwhatthecontractstackpromises,neithercodenorscriptoughttoprevailovertheother,againunlessthepartiesoth-erwiseindicate.Thegoalistodeterminewhatthepartiesintended,expressedinwhateverciphertheychose.Weshouldnotaprioridis-missrightsprovidedincode.
TheTokenStoreproblemoffersanothersettingfortheharmoni-zationprinciple.RecallthatTokenStorehadavestigiallegalwrapinplace:ahandfuloftwitterandmediumposts,makingvaguegesturesabout the exchange’s commitment to being a hands-off-enterprise.Thecodepermittedtradererrors—indeed,itdidnothingtopreventthem. However, the code commentary stated that “we [i.e., Token-Store’soperators]validate thecontentsandthecreatoraddress”ofthe“orders.”
It’s not clear what thewriters of this comment intended it tomean. Inprogrammingcommunities,validatecantakeonanarrowmeaning—someonecanenteran“inputinaformthatisnotexpected,”leadingto“alteredcontrolflow,arbitrarycontrolofaresource,orar-bitrarycodeexecution.”235Butitcanalsotakeonabroadermeaning,i.e., that thecodeproducescommercially reasonable results.236Andperhaps such narrow programming meanings are only relevant incommercialmarkets,sothat“validate”oughttotakeonanordinarymeaning, i.e., “tomake legally valid.” Thiswouldmean that the ex-change bears the risks of obvious errors. Such a readingwould behelpfultoatrader’sactionforrescissionbasedonmistake(whichwillturninpartonwhatthecontractsaysaboutrisk)aswellasthatforordinarybreachofcontract.Inourview,thecorrectapproachagainwouldseektomakesenseofthegestaltproject,treatingthecodeanditsnaturallanguagecommentsasguidestotheparties’jointintent.
234. SeeCohneyetal.,supranote2,at630–34.Ofcourse,acourtcouldfindthat,inlightofanindustry-widepracticeofdescribingrightsas“immutable,”silenceinonelayer of the stack should be interpreted against a commercial backgrounddenyingmodifiability.Id.at615n.114. 235. CWE-20: Improper InputValidation, COMMONWEAKNESSENUMERATION (Sept.19,2019),https://cwe.mitre.org/data/definitions/20.html[https://perma.cc/C3GA-FM6Y]. 236. SeeDataValidation:OSWAPGuide toBuildingSecureWebApplicationsandWeb Services, COMMONOPENWEB APPLICATION SEC. PROJECT (Jan. 5, 2006), https://searchsoftwarequality.techtarget.com/news/1156594/Data-validation-Chapter-12-OWASP-Guide-to-Building-Secure-Web-Applications-and-Web-Services[https://perma.cc/P8GG-VG7F] (“Businessrules [e]nsure thatdata isnotonlyvalidated,butbusinessrulecorrect.”).
2020] TRANSACTIONALSCRIPTS 371
Harmonizationbecomesdifficultwhenpartsofa contract con-flict.237Whenpiecesofadeal counterpose, courts traditionally firstseektoascertaintheparties’principalpurpose,andthentoadvanceitbydecidingoutwhichpiecesofevidencetoprivilege.238Forexam-ple,handwrittentermsprevailovertypewrittenterms,andspeciallytyped provisions control over pre-printed forms. 239 Courts fore-groundthoseprovisionsthattheybelievearebestindicatorsofwhattheparties“really”meant.240
Scriptedexchangewillsometimesalsoposeproblemsofincon-sistent intent.Giventhatpiecesof thestackarewrittenatdifferenttimes, by authors with distinct professional backgrounds, and in-tendedfordifferentreaders,weshouldanticipateconflictsinmean-ing. As a default rule,we’d propose a hierarchy ofmeaning,whichprivilegesnaturallanguagewrappingtextovercodewhentheycon-flict.
Bywrappingtext,wemeantoincludeanytextthatisoutsidethe
codeitself,butwithinthestack.Whensuchtextconflictswithcode,we think the parties’ contract—what they can sue on—most likelyturns on their natural language expression.241 This is a pragmaticchoice.242AswiththeQuoinetribunal,mostjudgesaregoingtohaveanaturalaffinityfortextthattheycanreadwithouttheaidofanexpert
237. Cf.Surden,supranote32,at657(“Aprimaryunresolvedtensionmayoccurinfuturescenarioswherethereisbothawrittenanddata-orientedrepresentationofthesamecontractualexpression,withinterpretationsthatdiffer.”). 238. SeeKNIFFIN,supranote220,§24.20(“Whentheprincipalpurposeofthepar-tiesbecomesclear,furtherinterpretationshouldbeguidedthereby.”). 239. Seegenerallyid.§24.23,at236,251(discussingvariousrulesthatcourtsusetoreconcileconflictingcontractterms). 240. Seeid.§24.9,at59(“Acourt’spurposeinusingextrinsicevidencetointerpretacontractisdiscernmentoftheparties’intentions.”). 241. SeeRohr,supranote33,at85(“[C]ode[thatautomatesalargeragreement]islikelytobeviewedasacomponentofperformancethatonepartywillattempttoproveisnonconforming.”). 242. Foradefenseofasearch-costsbasedtheoryofparolevidenceandotherrulesthatlimit“idiosyncraticunderstandings,”seeJoshuaA.T.Fairfield,TheSearchInterestinContract,92IOWAL.REV.1237,1265–67(2007).
Canon3:Incasesofconflict,privilegenaturallanguagepromisesover coded ones: i.e.,wrapping text, commitmentmessages andcodecommentaryovercode,highlevelcodeoverbytecode.
372 MINNESOTALAWREVIEW [105:319
translator.243Theywillarguethat“noonereadssmartcontracts.”244(Thefactthatnoonereadsregularcontractsisequallytrue,thoughitfeelseasiertoblamethemforit.)245Ofcourse,justlikecontracttext,codecanbe“read,”andoftenresultsfromasimilariterativedraftingprocessasold-fashionedcontracts.
Why,then,privilegeEnglishoverCode?Onereasonsoundsintheclassicworriesaboutopportunismandbadfaiththatdrivesmanyju-dicialtreatmentsofadhesioncontracts.Ifpartiescouldavoidacon-tractualpromisebynegatingitincodethatyouhadnoreasontothinkwould be read,wewould rightlyworry about promissory fraud orotherformsofbait-and-switchbehavior.Thoughtoday,manyusersoftransactional scripts are sophisticated—even to access scripts, youusuallyinstallspecializedsoftwareonyourcomputer—thatmaynotbethecasegoing forward.GiventhatEnglish iseasier toreadthanSolidity and other high-level programming languages, courts willlikelyprivilegenaturallanguagepromiseswherevertheycan.
Butatadeeperlevel,ourintuitionisthatcourtsimaginetheyarelookingforsomethingtheycall“real”intent,whichisreallymorelikewhatthepartiesexpressedabouttheirintenttotheworld.246Justaswithotherformsofcommercialtransactionsdraftedandenteredinstages,discerningrealintentisoftenafool’serrand.247Thatinquiryfalselyimpliesthatthepartiesgavetheproblemsomethought.Whencourtsspeakaboutintent,theyareengaginginahypotheticalandim-aginativeexercise,whichentailssignificantdegreesofanalyticfree-dom.Butimaginativeexercisesmustbeexplainableinpublicjudicial
243. In consumer-facing transactions, courts alsomayworryabout exploitationwhen parties use language that is hard for adherents to understand. See, e.g.,FrostifreshCorp.v.Reynoso,274N.Y.S.2d757,759(N.Y.Dist.Ct.1966)(findingthattheadherentswere“handicapped”bycontracttermswritten“inalanguageforeigntothem”). 244. Cohneyetal.,supranote2,at598. 245. SeeTessWilkinson-Ryan,APsychologicalAccountofConsenttoFinePrint,99IOWAL.REV.1745,1751(2014)(“[O]neofthetruismsofempiricalcontractsresearchisthat‘nobodyreads.’”). 246. SeeRohr,supranote33,at78(discussinghowcourtscanderivetraditionalcontractformationconcepts,likeintent,fromavendingmachinetransaction). 247. SeeDouglasG.Baird&RobertWeisberg,Rules,Standards,andtheBattleoftheForms:AReassessmentof§2-207,68VA.L.REV.1217,1219(1982)(notingthatthelawcannotresolvethebattleoftheformsbyinquiringintotheparties’intent);GRANTGIL-MORE,THEDEATHOFCONTRACT46–47(2ded.1995)(“If...‘theactualstateofthepar-ties’minds’isrelevant,theneachlitigatedcasemustbecomeanextendedfactualin-quiryintowhatwas‘intended,’‘meant,’‘believed’andsoon.”).
2020] TRANSACTIONALSCRIPTS 373
opinions,andthusrelytoadegreeontextthatcanbereadbythewid-est audience, and that is susceptible to the cheapest judicial over-sight.248
Aswe’veshown,codeisirreduciblybuggy,andthenormalwaysthat coders handle error—by iterating better versions—may nottranslatewelltoscriptedexchange.Codesimplyisn’taverystraight-forwardwaytoexpresstheparties’intent.Bycontrast,partieshavehadhundredsofyearsofexperiencecontractinginEnglish(orFrench,orEsperanto,turningonthecourt’sandparties’nativetongue).Un-lessthereisgoodevidencethataparticularlineofcodewasmadesa-lient—forexample, if it isreferredtoby linenumber inthenaturallanguage contract itself—courts should conclude that text trumpscode.249Acombinationofrealismandefficiency,attheendoftheday,willprivilegepubliclyaccessiblemeaning.250
Whetherthetextwrappinglayershoulddisplacecasecommen-taryandcommitlogsisamuchharderproblem.Here,theconcernsaboutpubliclyaccessiblemeaningdropaway,sincecodecommentaryisgenerallywritteninEnglish(oratleastacodingdialectthatcanbegrokked).Theremainingissueiswhethercommentaryintendingtoexplain a cipher is as good evidence ofwhat the exchangewas in-tendedtoaccomplishasthewrappingtext’smorelegalisticframe.
Ontheonehand,thecommitlogsandcommentaryareintegraltothecodeitself,expressedcontemporaneouslywithitsfixationandwiththegoalofrevealingits intent.251It isthe“crownjewel”ofthe
248. Oneanalogyisthecourts’treatmentofdisputesaboutmeaningbasedondif-ferencesintheparties’respectivenativetongues.See,e.g.,FrigalimentImportingCo.v.B.N.S.Int’lSalesCorp.,190F.Supp.116(S.D.N.Y.1960).Insuchcases,thecourtsmayadoptthebroadestandwidest-sharedmeaningavailable. 249. Rohrpoints out that courts thathave analyzedvendingmachine contractsweredrawntomeetingofthemindanalogies,evenwhentheyplainlywereinapt.Rohr,supranote33,at80(“Vendingmachinecasesare...predictiveofthetypesofissuethat...[will]ariseasjudgesattempttoapplyfoundationalcommonlawcontractprin-ciplestosmartcontractsgoingforward.”). 250. Foradifferentdefenseofpubliclyaccessiblemeaning,seegenerallyAaronD.Goldstein,ThePublicMeaningRule:ReconcilingMeaning,Intent,andContractInterpre-tation,53SANTACLARAL.REV.73(2013),whicharguesthatextrinsicevidenceshouldbelimitedtopublicandsharedmeaningtoavoidgamesmanship. 251. SeeDanielaSteidl,BenjaminHummel&Elmar Juergens,QualityAnalysis ofSourceCodeComments,in2013IEEE21STINT’LCONF.ONPROGRAMCOMPREHENSION83,83(“Asignificantamountofsourcecode ...consistsofcomments,whichdocumentthe implementationandhelpdeveloperstounderstandthecode ....Commentsarethesecondmost-useddocumentaryartifactforcodeunderstanding,behindonlythecodeitself.”).
374 MINNESOTALAWREVIEW [105:319
code,layingbareits“innersecrets.”252Codecommentaryandcommitlogsare thus like thedefinitionsectionofanordinarycontract: thevery best evidence of meaning. 253 Consequently, commentary andcommitlogsshouldbeprivilegedoverthecodeitexplains.
That said, somemightworry that code commentary (and, to alesserextent,commitlogs)isintendedtobedisposable254—itmightsignalwhatacoderhopedtoachievebut isnot likely tohavebeenwrittenwithparticularcare.255Forexample,aswediscussedabove,mostopensourcecodetodayisreusedfromscripttoscript.Thus,it’snotnecessarily(orevenusually)thecasethatthecommentarywaswrittenwithasingularproject’sgoalsinmind.Blindlyadoptingsuchcommentary as gospel risks being misled as to what the partieswanted,justas(forexample)adoptingboilerplatecan,overtime,leadpartiestousetermsthateventheydonotunderstand.256
Evenconsideringtheserisks,commentaryandcommitmessagesshouldhavethesameinterpretativeweightasnaturallanguagecon-tractterms.True,theymightnotprovideclearevidenceofpromissoryintent.But the sameobjections canbemadeaboutboilerplate thattravelsfromdealtodeal.Moreover,thoughit’struethatsomecoderstreat commentary and logs as disposable, well-counseled projects,
252. JeffreyD.Sullivan&ThomasM.Morrow,PracticingReverseEngineeringinanEraofGrowingConstraintsUndertheDigitalMillenniumCopyrightActandOtherProvi-sions,14ALB.L.J.SCI.&TECH.1,17(2003)(“Reverseengineeringdoesnotlaybareaprogram’s inner secrets. Indeed, itcannot. The inner secretsof aprogram, the realcrown jewels,areembodied in thehigher levelsofabstractionmaterialsuchas thesourcecodecommentaryandthespecification.”). 253. Theremaybeexampleswherecodersmakeanexplicitattempttosynthesizethesemanticcontractwithinthecode.See,e.g.,LEXON,http://demo.lexon.tech/apps/editor [https://perma.cc/DY2R-4X4D] (embedding human readable semantic con-tractwithincompliablecodethatexportstoSolidity). 254. Andrew Johnson-Laird,SoftwareReverseEngineering in theRealWorld, 19DAYTONL.REV.843,857(1994)(“[Sourcecodecommentary]istheequivalentofmar-ginalannotationsandisintendedtoassisttheoriginalprogrammerorthosethatfol-lowinunderstandingwhytheprogramwascraftedinaparticularway,ortoexplainaparticularlycomplexflowoflogic.Therearenorestrictionsonwhatmustormustnotbewrittenincomments,but inevitablytheyaretherepositoryofall theknowledgethattheprogrammerhasinhisorherheadasthecodeisbeingcreated.Onealsofre-quentlyseesacertainirreverenceinthecommentarywhichisaby-productoftheex-uberanceofprogrammersandisbestnottakentooseriously....”). 255. Cf.Haqueetal., supranote52,at58(“Another [developer]mayconstantlycontributeahighvolumeoflinesoveralongperiodoftime,butstillbeafunctionarywhoseworkiswhollynon-essentialandcouldeasilybereplacedbyothers.”). 256. SeegenerallyStephen J.Choi,MituGulati&RobertE.Scott,TheBlackHoleProblem in Commercial Boilerplate, 67 DUKEL.J. 1, 2 (2017) (describing pari passuclausesas“astandardprovisioninsovereigndebtcontractsthatalmostnooneseemstounderstand”).
2020] TRANSACTIONALSCRIPTS 375
knowing the rule thatwepropose,wouldbewell-positioned toex-pandoncommentarybeforedeployingascript,andimposedisciplineovercommitsthataremergedintotheproject.Theresultcouldbean-otheropportunitytosurfaceandcorrectbugs,whilealigningthepar-ties’expectationswithwhattheyreceive.And,ofcourse,thisisjustadefaultrule:thepartiesmayexpressadifferentrulebycontractingforit.257 Finally,wethinkthatthesourcecodegenerallyisabettersourceofmeaningthanthecompiledbytecode.That’ssobecausethesourcecodeis,inbroadstrokes,readablebyhumanswiththeexerciseofrea-sonableeffort,meaningthatallpartiestoatransactioncangainsomeinsightas towhat they’veagreed.Thealternative,whichholds thatbytecodeisthe“real”contract,seemslikelytoleadtoembarrassingresults.Forexample,considerthis“onlineuseragreement”thatalawstudentconfronted:
257. Cf.Surden,supranote32,at652(“A‘data-meaningthresholdagreement’pro-videsspecificinterpretations[forcomputablecontracts].”).
376 MINNESOTALAWREVIEW [105:319
Figure5258This is not bytecode, but rather an erroneous encoding of the
bytesintotheglyphsthatrepresentthem.Obviously,clickingontheagree box wouldn’t bind anyone—the gibberish communicates nomeaningful information to humans (even if some computer, some-where,couldmakesenseofit).Bytecodeislikewiseattheverybot-tomofourinterpretativehierarchy,asdecodingitrequirestheexer-tion of effort and expertise likely beyond the capacity of thecontractingparties.
These interpretive principles ought to giveway depending oncontext. Thus,we imagine that ephemeral contractual promises—a
258. Samuel P. Morse (@SamuelPMorse), TWITTER (Sept. 13, 2019, 8:10 AM),https://twitter.com/SamuelPMorse/status/1172497664799363075 [https://perma.cc/3KZ2-TY4F].
2020] TRANSACTIONALSCRIPTS 377
straytweetbyaprojectmanagerpromisingaparticularoutcomeofthe script—would likelynotdisplace awell-curatedGitHub reposi-tory.Or,apieceofcodecommentarythatmakesajoke.Here,again,ourargumentrestsonapragmaticjudgmentastowhatcourtswilldo,which in turn relates to the parties’ reasonable, commercially-in-formedexpectations.259Themorepermanent,consideredandreliabletheevidenceofapromise—themore,inotherwords,itwouldberea-sonabletorelyuponit—themoreacourtislikelytoconsideritareli-ablebasisofthebargain.
Finally, consider a problem of interpretation that has no easynon-scriptedanalogue.Whatiftheprogrammers’intentisinternallycontradictoryandisrecordedassuch?Ofcourse,courtswilloftensaythataparty’sprivatemeaningoughttobediscountedwhenascertain-ingthesharedintentofthetransaction.Thus,simplybecauseonelaw-yeronateamthoughtthat“black”means“white”doesn’tmeanthatthetermtakesonthatmeaning,unlessthatlawyercommunicatedhermeaningtotheothersideinawaythatseemedauthoritative.260Thisiswhysomehavearguedthatvisiblemetadataoughttobearonmean-ing.261
Evidenceofinconsistentdrafterintentinthetransactionalscriptcontextisdifferent.Giventheuseofversioncontrolsystems,boththeexpressionofcodeandtheidentityofwhowroteeachlineofhuman-readablecodemaybeknowableatthemomentthecounterpartyin-spectstheterms,andcertainlyatthemomentofformation.Soisthecommentary.Becausethecodeispublic,allpartiescanseethecon-flictingevidenceofmeaningatthemomentthecontractisentered:itisliketheparties’finalexecuteddocumentincludedvisibleredlinedchanges.262Thus, a partymight encounter a piece of code that hasmultiple drafterswho appear to be communicating different goals.Whattodointhisscenario?
259. MURRAY,supranote185,§4.12(discussingtheroleofreasonableinterpreta-tionsindeterminingmeaning). 260. SeeCendantCorp.v.CommonwealthGen.Corp.,No.98C-10-034HLA,2002WL31112430,at*6(Del.Super.Ct.Aug.28,2002)(holdingthatacontract’s“MaterialAdverseChange”createdanissueofmaterialfactbecauseeachpartyhadplausible,butdifferent,interpretationsoftheclause). 261. See, e.g.,ThomasH.White,ParolMetadata:NewBoilerplateMergerClausesandtheAdmissibilityofMetadataUnder theParolEvidenceRule,4CASEW.RSRV.J.L.TECH.&INTERNET237,267(2012)(“Ifthemetadataisvisibleonthefinalversionofthecontract,thisshouldbeconclusiveweightinfavorofitsadmissibility[undertheparolevidencerule].”). 262. Foranargumentthatnon-resolvedtrackedchangesoughttobeincludedaspart of the integrated document, see Elizabeth A. Janicki,Contracts as Speech Acts:BringingJakobsontotheConversation,107GEO.L.J.201,218n.113(2018).
378 MINNESOTALAWREVIEW [105:319
Thesimplestanswer—harmonizationwiththerestoftheagree-mentandwiththesocialcontext—isprobablybest.Butitsapplicationissubtleandrootedinthesociologyoftheoperativecodingcommu-nity.Weoughttoprefer(andrenderoperative)themeaningsofcod-erswhoadvancethelargeragendaoftheproject,totheextentitcanbereconstructed.263Failingthat,weshouldpreferlaterintimetoear-lierintimepiecesofcode,andcodewhichhewscloselytothecom-mentarythatsurroundsit.Thesematchthebackgroundrulesofcon-tractinterpretation,whichgenerallyseektofindandgiveprioritytothebestavailableevidenceof theparties’expressedand integratedintent.
Overall, this interpretative hierarchy, which promotes super-visedcodingandlast-in-timesyntax,arisesoutofthesameintuitionsthatgeneratetheparolevidencerule.RecallCorbin’sfamous,thoughnotuniversallyaccepted, rationale for therule.264Itwasnot,hear-gued, primarily about controlling self-serving frauds by excludingconvenientex-post evidenceofmeaning.265Rather, the rulewas in-tended to give priority to the parties’ fixed agreement: to discardthoseearlieragreements,negotiationsandunderstandingswhichhadnotmadeitintothefinalandbindingcontract.266Onthequestionofwhethertheparties intendedaparticularexpressiontobethefinalexpression, “no relevant evidence, [] parol or otherwise, is ex-cluded.”267Butevenifadmitted,courtscouldclearlyweighsuchevi-denceandfindthat“themorebizarreandunusualanassertedinter-pretationis,themoreconvincingmustbethetestimonythatsupportsit.”268
263. SeeHunn,supranote31,at281(“[I]ncreasingattentionisgiventoarchitect-ingsmart legalcontracts ‘ina languagethat isbothhuman-intelligibleandmachinereadable,whose text incorporatesanalgorithmwhichautomatessomeorallof theperformanceoftheagreement.’”(quotingJ.G.Allen,WrappedandStacked:‘SmartCon-tracts’andtheInteractionofNaturalandFormalLanguage,14EUR.REV.CONT.L.307,313(2018)). 264. SeegenerallyArthurL.Corbin,TheInterpretationofWordsandtheParolEvi-denceRule,50CORNELLL.Q.161,189(1965)(“[A]ntecedentagreements ...areren-deredinoperative[evidence]byhavingbeendischargedbyasubsequentagreementthathasbeendulyprovedandinterpreted.”). 265. See PETERLINZER, CORBINONCONTRACTS:PAROLEVIDENCEAND IMPLIEDTERMS§25.2,at6(rev.ed.2010)(“[Corbin’s]statementofthe[parolevidence]...hadnoth-ingtodowiththereliabilityoforalorwrittenevidenceofintent;ithadtodoonlywithwhatthepartiesactuallywantedtobethefinalwordoftheiragreement.”). 266. Id. 267. Id.at9.ButseeKlass,supranote213(describingsometheorists’viewthatintegrationalsocontrolsinterpretationevidence). 268. LINZER,supranote265,§25.4,at32.
2020] TRANSACTIONALSCRIPTS 379
Onthisunderstanding,ifatransactionalscript’spromotersseemtoadvancemultiplepotentialpurposesatoddswithoneanother,acourtoughttoidentifythosetermsthatbestmatchthereasonableex-pectationsofthepartiesatthemomentthatthecounterpartycommit-tedtotheparticularexchange.Theexistenceofpriorconflictingtermswould still bepotentially relevant, but theyought to bede-empha-sized.
Inapplyingthiscanon,considertheSynthetixexamplediscussedabove.Onepartydeployedabotthattookadvantageofacorruptedthird-partyoracletoexecuteatradewhichwouldhavegarnereditpo-tentiallyabilliondollarsinprofit.Presumablybecausethatamountwould have been uncollectable, the hacker settled for some undis-closedbugbounty,paidoff-chain.Neitherpartytestedwhatcontractlawwouldhavehadtosay.Butwecanspeculatesomewhatastoitscontents.
Canon1remindsustotakeupall thesourcesofmeaning.A li-cense, deployed by Synthetix, disclaimed all warranties as to theCode’s correctness. But its commentary promised that the quoteswerethe“currentmarketvalue.”Thus,ifacourtweretoaskifthepar-tiesintendedthisresult,theanswerwouldturn,wethink,onthehier-archyinCanon3.Inourview,asbetweentwokindsofwrappingnat-urallanguage,thecommentarytothecodeoughttotakeprecedenceovertheambiguouslicense,meaningthatSynthetixwouldhaveadif-ficulttimearguingthatwhatevertheoracledeliveredwas,forthepar-ties’purposes,actionable“marketvalues.”Attheveryleast,Synthetixshouldhavebornaheavyburdenofprovinganalternative.269Thus,Synthetix,whichpresumablywouldhave arguedmistake, probablyfairlybearstheburdenofathird-partydatasourcerisk.
Wehavesuggestedasetofdefaultrulesforinterpretingscripts.
Butwhatifthepartieswanttovarysuchrulesbyagreement:shouldwe give these scripted integration clauses force? 270 Offline, courts
269. The casewould have been differentwith an appropriate disclaimer in thetermsofuse,whichwehavenotyetfound. 270. SeeKlass,supranote213,at466–71(discussingwhenintegrationclausesarelegallyenforceable).SeegenerallyGregoryKlass,IntenttoContract,95VA.L.REV.1437,1442–43(2009)(discussingthelegalrelevanceofparties’intentwithrespecttolegalenforcement).
Canon4:WhereNaturalLanguageContractsRefertoCode,Inte-grationClausesShouldBeReadNarrowly.
380 MINNESOTALAWREVIEW [105:319
havegenerallypermittedintegrationclausestocontrolwhichpiecesofpriororcontemporaneouscontractingareincludedwithintheliti-gateddeal, at least between sophisticated firms.271But courts havesometimesbeendubiousaboutattemptstointegratefuzzystacksandtolimitevidenceofmeaningthatappearsotherwiserelevant.272
Aproblemhereisthatsophisticatedprojectswillusuallydirectlyrefer to the script in thenatural language terms and conditions. Insuchcases,wethinkitisimpossibletoexcludethescriptentirely—inotherwords,wedon’tthinkthatscriptcanbebothpointedatandalsotreatedasextrinsicevidence.Thatwouldbemuchlikesayingthatanaddendumtoacontract,whichcontainsakeydescriptionoftherele-vantsubjectmatter,isnotapartofthedeal.
Whatpartiesmightdoistotrytousethenaturallanguagecon-tract todeterminemeaning.Natural language termsandconditionswouldstatethattheonlyoperativepromisesarethosefoundinthenaturallanguageitself,andthatpartiesshouldnotreadthecommen-taryinthescripttomakeadditionalorcontradictorypromisesaboutwhatitaccomplishes.Thiswouldnotdenythatthecodeisapartofthebargain,butratherwouldattemptto limitwhatcanbeinferredfromthenaturallanguagetextitcontains.Or,theconverse:thatis,thenaturallanguagemaydenyitsownefficacyandprivilegecode.
Thechoiceofwhethertodefertosuchattemptstocontrolmean-ingturnsonwhetherthecourtgenerallyadoptsamorecontextualormore formalist approach to interpretation.273Contextualism,whichdiscouragesopportunisticdraftingandthusprotectsconsumers,has
271. SeeKlass,supranote213,at475–78(arguingfora“hardexpressintegrationruleforfirm-to-firmnegotiatedcontracts”). 272. Cf. LINZER, supra note 265, § 25.7, at 61 (“[T]he essence of integration iswhethertheyintendedadocumenttobethefinalword,andevidenceofthisintentionshouldbefoundfromallsources,notjustthewordsofthecontract.”). 273. CompareWellsFargoBank,N.A.v.CherrylandMallLtd.P’ship,812N.W.2d799,810(Mich.Ct.App.2011)(admittingusageoftradenotwithstandingcontractualclausestatingthat“notradepractices...shallbeusedtocontradict,vary,supplementormodifyanytermofthisguarantyagreement”),withS.ConcreteServs.,Inc.v.Mable-tonContractors,Inc.,407F.Supp.581,584(N.D.Ga.1975)(“Thecourtrecognizesthatallambiguityastotheapplicabilityof tradeusagecouldbeeliminatedbyablanketconditionthattheexpresstermsofthecontractareinnowaytobemodifiedbycus-tom,usage,orpriordealings.”).SeegenerallyJoshuaM.Silverstein,ContractInterpre-tationEnforcementCosts:AnEmpiricalStudyofTextualismVersusContextualismCon-ductedviatheWestKeyNumberSystem,47HOFSTRAL.REV.1011(2019)(providinganempiricalstudyofjudicialandacademicdebateovertextualismandcontextualismincontractinterpretation);LisaBernstein,CustomintheCourts,110NW.U.L.REV.63,71(2015)(“Theenforceabilityandeffectivenessofageneralclauseoptingoutofalltradeusagesisatbestunclear.”).
2020] TRANSACTIONALSCRIPTS 381
muchtocommenditinmarketswheresharpdealingismorepreva-lent.274Fraudhasdefinedmanyblockchainproducts todate,ashasincoherenttransactionallawyering.Thisisnotaspaceproducingfor-malism’sbestfactualpredicates.
To the extent these issues seem fanciful, consider the DAOhack.275TheDAOwasatoken-mediatedplatformthatallowedsmallinvestors toenter jointly intoaventurecapitalpool.276Theentity’s“terms,”apartfromdisclaimingvariouslegalrights,statedthat“[t]he“useofTheDAO’ssmartcontractcode...carriessignificantfinancialrisk, including using experimental software.” 277 However, it alsostated:
274. SeeSilverstein,supranote273,at1018(notingthatcontextualistcourtscon-siderbothanagreement’slanguageandextrinsicevidencetodetermineambiguity). 275. SeeHaqueet al., supra at52, at39–45 (providinganoverviewof theDAOhack);seealsoLailaMetjahic,DeconstructingtheDAO:TheNeedforLegalRecognitionand theApplicationofSecuritiesLaws toDecentralizedOrganizations,39CARDOZOL.REV.1533,1536(2018)(analyzingthecorporatelegaltheoriesunderwhichthecrea-torsofTheDAOmightbeheldliableforthe2016hack). 276. Cf. Vitalik Buterin,Bootstrapping a Decentralized Autonomous Corporation:Part I, BITCOIN MAG. (Sept. 20, 2013), https://bitcoinmagazine.com/articles/bootstrapping-a-decentralized-autonomous-corporation-part-i-1379644274[https://perma.cc/6FNC-93QV]. 277. Terms: Explanation of TermsandDisclaimer,DAOHUB, https://daohub.org/explainer.html[https://web.archive.org/web/20160704190119/https://daohub.org/explainer.html].
Figure6:TheDAO’sTerms
382 MINNESOTALAWREVIEW [105:319
The code repository containedanevenmore incoherent setof
disclaimers, includingareadmefilethatclaimedusingthesoftware“doesnot,inandofitself,createalegallybindingcontract,”andthat“inorderforyoutoformalegallybindingcontract...youshallseeklegal advice from an appropriately qualified and experienced law-yer....”278Thissetofdisclaimersappearstobeanattempttoshieldtheentityfromliabilitybyatonceembracingandrejectingcontractlaw.279
Afterusershadcontributedfunds,butbeforetheDAO’sownin-vestmentshadbegun, someonenoticeda flaw in its codewhichal-lowedsiphoningof$55million(ofaround$170milliontotalassets)outofthepool.Ethereum’sthendeveloperspromulgatedaproposedsoftwareupdate to the entireblockchain—ahard fork—whichwasadoptedbysome,butnotall,holdersoftheoriginaltokens.280
TheDAO’screatorshadsomewarningofthevulnerability.281Be-forethehack,acommentatorpostedaboutthevulnerability(titled,“Protect against recursive withdrawRewardFor attack”) and sug-gestedaseeminglyeasychange(reversingtheorderingoftwolinesofcode)whichwouldcloseit.282TheDAOmadethechange,reassuring
278. StephanTual,Postingto/blockchainsllc/DAO:UpdatedReadme,GITHUB(Apr.11,2016),https://github.com/slockit/DAO/commit/aceec3efcc8afd4277396ebc42628f2e5ca8dff2#diff-04c6e90faac2675aa89e2176d2eec7d8 [https://perma.cc/5HHY-5W4V]. 279. Foratrenchantanalysisoftheseissues,seeDrewHinkes,ALegalAnalysisoftheDAOExploit andPossible InvestorRights, BITCOINMAG. (June21, 2016), https://bitcoinmagazine.com/articles/a-legal-analysis-of-the-dao-exploit-and-possible-investor-rights-1466524659[https://perma.cc/XJK6-TCKB]. 280. Reyes, supranote30,at388; seeTheEthereumClassicDeclarationof Inde-pendence, ETHEREUM CLASSIC, https://ethereumclassic.org/ETC_Declaration_of_Independence.pdf[https://perma.cc/F6D5-7FSR](lastupdatedJuly2019)(declaringtheholders’ intentto“continuetheoriginalEthereumblockchain”anddecryingthehardforkasaviolationoftheblockchain’s“coretenets”). 281. See, e.g., Matthew Leising, The Ether Thief, BLOOMBERG (June 13, 2017),https://www.bloomberg.com/features/2017-the-ether-thief[https://perma.cc/N8RJ-F7RE] (“Gün ... had already been tracking and publicizing flaws in the DAO’s de-sign....[He]appearstobethefirsttopinpointtheflawthatputthemoneyinjeop-ardy.”). 282. LefterisJP, Posting tobloackhainsllc/DAO, GITHUB (June 12, 2016), https://github.com/slockit/DAO/commit/f01f3bd8df5e1e222dde625118b7e0f2bfe5b680?diff=split[https://perma.cc/87ZY-FD5V].
2020] TRANSACTIONALSCRIPTS 383
usersthat,“Theimportanttakeawayfromthisis...thisisNOTanis-suethatisputtinganyDAOfundsatrisktoday.”283Theupdatedver-sionwascalledTheDAO1.1“milestone.”Inthecode,thein-linecom-ment preceding the new revision on line 580 stated its explicitpurpose:
//wearesettingthisherebeforetheCALL()valuetransferto//assurethatinthecaseofamaliciousrecipientcontracttrying//tocallexecuteProposal()recursivelymoneycan’tbetransferred//multipletimesoutoftheDAO284
Assurancenotwithstanding,someonethenexecutedthefamoushack—inpart becauseTheDAO’s fixwas incomplete—transferringmoneymultipletimesoutofTheDAO.
Thus,hereweagainhaveastackofmeaningaboutwhatthepar-ties to the contract—The DAO’s creators and its investors—ex-pected.285But therelevantdocumentsarecontradictory.Theactualcodedidnotaccomplishwhatthecommentorwhitepaperpromised,afactthatsoonbecameobvioustoall.Moreover,theorganizersofTheDAOhadspecificallytoldusersthatthecodegoverned,evenastheydisclaimedthe legalenforceability inthecode itself.286Let’susethecanonstoofferasolutiontotheprivatelawcontractingproblemsthattheDAOoccasioned.
AsCanon1instructs,weoughttoconsideralltherelevantpiecesasevidenceofmeaning,andofwhatwaspromised.Thecode,termsandconditionsandreadmefilesareallapartofthestack.
Canon2suggeststhattheDAO’scounterpartiesreasonablycouldhavebelieved that theywouldnot face theriskof recursivemoney
283. StephanTual,NoDAOFundsatRiskFollowingtheEthereumSmartContract‘RecursiveCall’BugDiscovery,SLOCK.ITBLOG(June12,2016),https://blog.slock.it/no-dao-funds-at-risk-following-the-ethereum-smart-contract-recursive-call-bug-discovery-29f482d348b[https://perma.cc/2P4D-5QGB]. 284. LefterisJP, supra note 282, at line 580, https://github.com/slockit/DAO/blob/d48ee5c49f9dc3b9548623aa6985cbc3c9528b67/DAO.sol#L580[https://perma.cc/9KTB-7KWJ]. 285. SeeTanayaMacheel,TheDAOMightBeGroundbreaking,butIsItLegal?,AM.BANKER (May19,2016,3:12PM),https://www.americanbanker.com/news/the-dao-might-be-groundbreaking-but-is-it-legal [https://perma.cc/98RV-C7SB] (narratingStephanTual’sstatement,aprimaryorganizer,that“[n]oonebenefitsfromitexceptthepeoplethatsupportit.Evenwe,theoneswhoinventedit,getnothing”). 286. SeegenerallyKolber,supranote25,at221(“Note:Althoughtheword‘con-tract’isusedinTheDAO’scode,thetermisaprogrammingconventionandisnotbeingusedasalegaltermofart.”).
384 MINNESOTALAWREVIEW [105:319
transfer.287 That promise, embodied in amarketing announcementandinthecodecommentsitself,is,itistrue,absentintheoperationalcode.It’sasifadoorwhichcontainedonitsfrontfaceasignstating“PrivateProperty:LockedDoor”wasfreelyopenablewithakeyhang-ingnearby.Ifsomeoneweretohavebeenharmedbyrelyingonthatsetofstatements,whensuinginfraudortorttheywouldfaceques-tions abouthowreasonable theirprecautionshadbeen.288But in acontractlawsuit,Canon3teachesthatcodeshouldbowtocommentsandcommitlogsinawaythatbestembodieswhattheprogrammersintendedtoaccomplishandthereforetowhattheyoughttobeheld.289Canon4tellsustodiscounttheattemptsatnon-integrationas,atbest,confused.
WethusdisagreewithTheDAO’sattacker,whoarguedthattheforkviolateditsrightsbecausethoseactionswereliterallypermittedbythecode.290Yes,codedraftersoughttobeartheinterpretativeriskof error.291 But the non-drafting counterparties whose funds weretakencouldnotreasonablybeexpectedtoknowthatthecodehadthatbug,giventhecommentarypromisingtheoppositeresult.Hadtheynotreceivedtheirmoneyback,TheDAO’sinvestorsshouldhavebeen
287. SeeRohr,supranote33,at89(notinganalogiestovendingmachinecasestofindthat“theagreementincludesonlythosetermsthatwerereasonablyavailabletoDAOTokenholderspriortopurchase”and impliedlyconcludingthat thiswould in-cludetheTermsofUsebutnotthepermissivecode). 288. One problemwe leave to futurework is the relationship between puttingstatementsinsidethecontractualstackandthetort-contractlineinlitigation. 289. Thus,werejecttheideathattheonlyoperativepromisesarethosewrittenincode.Cf.LawrenceLessig,CodeIsLaw:OnLibertyinCyberspace,HARV.MAG.,Jan.–Feb.2000, https://harvardmagazine.com/2000/01/code-is-law-html [https://perma.cc/59LX-BRU5](notingthatcodeimplementsvaluesandthatcodersdecidehowcyber-spaceregulates). 290. A Guest, An Open Letter, PASTEBIN (June 18, 2016), https://pastebin.com/CcGUBgDG[https://perma.cc/Y739-MR8R](claimingthatthefork“wouldamounttoseizureofmylegitimateandrightfulether,claimedlegallythroughthetermsofasmartcontract”). 291. In this context, perhaps all participants, including investors and program-mers,couldbeconsideredsimplypartners.SeeStephenPalley,HowtoSueaDecentral-ized Autonomous Organization, COINDESK (Mar. 20, 2016, 3:17 PM), http://www.coindesk.com/how-to-sue-a-decentralized-autonomous-organization[https://perma.cc/B8L6-M7RM] (“A DAO is an organization that’s self-governing and thatisn’tinfluencedbyoutsideforces....DAOsareformedbygroupsoflike-mindedindi-viduals....”).Inthatevent,agencylawwouldpresumablyaddcomplexitytotheinter-pretativedefaults.
2020] TRANSACTIONALSCRIPTS 385
abletobringanactionforbreachagainstitsdevelopers,oreven,per-haps,againsttheattackerifitsactionamountedtoparticipatinginthenexusofcontractsthatTheDAOhadproposed.292
C. RECAPITULATINGTHECANONS:QUOINEANDNON-PUBLICSCRIPTSWehaveconfinedouranalysistothedefinitionoftransactional
scriptsweofferedintheintroduction.Suchscriptspresentarelativelytractablesetofproblemsforcontractjurists.Becausethescriptsarepublic,andparticipantstypicallyareknowinglyparticipatinginaspe-cializedformofcommerce,thesortsofconcernswemighthaveaboutknowledge,opportunism,andblack-boxcontractsare,byandlarge,muted.293
Howtoapplythecanonswhenpartiesarenotsophisticatedandcannoteasilyparsethecodeatthemomentoftheexchange,presentsadistinctanddifficultsetofquestions.IntheQuoinecase,forexample,itisnotobviousthateithersidehadeasyaccesstoeachother’scode.Wherepartiescannotaccesscode,itcan’tcommunicatemeaning,nomatterhowwelldrafteditscommentary.Thus,itcan’tbepartofthestackthatcomprisedthegristforthebargain.
Butwhathappenswhennon-programmingpartiescanaccessthecodebutthereisnosocialexpectationthatitexpressestheintenttocontract:thatis,whatabout“smartcontracts”withtransparentcode,butinvolvingordinaryconsumerswhomightnotevenbeawarethattheir contract’s execution occurs automatically?When natural lan-guagepromisesconflictswithcodedrules,shouldwereadthemto-gether?OnepossibilityisthatCanon3,whichtreatsnaturallanguagedescribingandcommentingoncodeasonthesamelevelascontracttermsthemselves,mightneedrecalibration.Oritmightnot.Becauseordinarycontracttermsthemselvesaretypicallyunread,moreworkisnecessarytoconsiderwhichsortsofburiedtermscountinmakingbargains.Weleavetheseproblemstofutureresearch.
292. SeeSEC.&EXCH.COMM’N,EXCHANGEACTRELEASENO.81207,REPORTOFINVESTI-GATIONPURSUANTTOSECTION21(A)OFTHESECURITIESEXCHANGEACTOF1934:THEDAO1,7–8 (2017), https://www.sec.gov/litigation/investreport/34-81207.pdf [https://perma.cc/Q4HV-SZXE](suggestingthatDAOcuratorsfacedpotentialliability);seealsoHinkes,supranote279(arguingthatinvestorscouldpotentiallybringclaimsagainstotherinvestorsandDAOcurators). 293. SeeGregoryKlass,HowtoInterpretaVendingMachine:SmartsContractsandContractLaw(unpublishedmanuscript)(onfilewithauthor),foranin-depthdiscus-sionoftheseissues.
386 MINNESOTALAWREVIEW [105:319
IV.THEFUTUREOFTHECONTRACTSTACKTo date, transactional scripts haven’t delivered revolutionary
changetoeithertheworldoroursmall,legal,cornerofit.Inthebigpicture,theecosystemismarginal:billionsofdollarsofinvestmentinatrillion-dollarworldeconomy.Andyettheintellectualfootingsofthescript project are expanding at an astounding rate. Everyday, newprojects(likeFacebook’sLibra,orJPMorgan’sfiatcoin)launchwithscripted roots, and the technical community gains experience andcompetencewitheachfailure.Wesimplyhavenoideawhatthefutureofcodedexchangewilllooklike.294
Therelationshipbetweenthisburgeoning,butstillhighlyspecu-lative, ecosystem and law are typically described as antagonistic.Thus,fornotedcommentatorNickSzabo,theprimaryvirtueof“smartcontracts” is that they ostensibly don’t need law. 295 For others,scripteddeals“willsubjecttheprovisionof justicetomarketforcesandbreakthestate’smonopolyoverthecourtsystem.”296Thisisanideologicalcalltoarmsagainstthecivilizingandconstrainingrolethatcontractjuristshavetraditionallyhadincommerciallife.
Ourapproachisdifferent.First,unlikesomeskeptics,whothinkthattransactionalscriptsaretoyswithnorealusecases,webelievethat they are a potentially valuable new contracting technology. Itmightbethatscriptswillreduceback-endtransactionalcostsbyre-ducingtheneedfortransactionallawyering.297Incertainsettings,the
294. SeegenerallyAllen,supranote33,at322(warningagainst tooheavilydis-countingthelikelihoodofsuccessfuldeploymentoflegalcontractsincode). 295. See, e.g., Nick Szabo (@NickSzabo4), TWITTER (Oct. 14, 2018, 5:51 PM),https://twitter.com/NickSzabo4/status/1051606530108190720[https://perma.cc/N5JY-YVED](“Worryingaboutwhetherasmartcontractis‘legallyenforceable’re-flectsaprofoundmisunderstanding.ThemainrelationofsmartKstotraditionalcourtsisthatsmartKscontrolburdenoflawsuit.”);seealsoCleanApp,Why’sSzaboAfraidof“SmartContract”Critiques?,MEDIUM(Oct.16,2018),https://medium.com/cryptolaw-review/whys-szabo-afraid-of-smart-contract-critiques-669ef9e63fc0 [https://perma.cc/75CG-5NA3](statementofNickSzabo)(“Thepartiescaniftheychoosewriteatra-ditionalKtobackstopasmartK,althoughinmanysituationswhereasmartcontractisusefultheexercisewouldbepointless....”). 296. Raskin,supranote27,at335. 297. SeeSklaroff,supranote19,at275–77(notingthattransactionalscriptscanreduceaccounting,duediligence,monitoring,andenforcementcosts);seealsoWer-bach&Cornell,supranote26,at322,348(notingtheabilityoftransactionalscriptstoautomaticallyverify,facilitate,andremedy).
2020] TRANSACTIONALSCRIPTS 387
benefitsfromcuttingenforcementcostswillbeworththecostsofup-front specification.298 By reducingmonitoring costs on themargin,transactionalscriptsmaymakeitmorelikelyforpartiestoenterintotheexchange.Similarly,inregimeswhereinstitutionaltrustisatana-dir and centralized trading repositories are unreliable, scripts canprovidesignificantvalue.299
Andyet,thisvaluewillhavenaturallimits,definedbyatradeoffbetween the value of trustless computing and the added costs im-posedbythecomplexitytax,whosescopewearethefirsttomakecon-crete.Mostsolutionstothecomplexitytaxrequireeithertheinterme-diation of third parties or consensus protocols running across asmallersetofvalidators.300Thus,atleastfornow,complexorganiza-tionalsolutionswillremainwithin“real”contracts,whileparticular,discrete,computableaspectscanbeputonpublicblockchains.Thisconclusion fitswellwith themost sophisticatedguidance currentlyavailable.301
Thefutureofscriptsisthusabouthybrids,wherecodeandnatu-ral language must work together. At the bottom, legal scholarshipaboutcomputablecontractssimplyhasn’tfullygrappledwiththeir-reduciblybuggynatureofcoding.Errorsincodedexchangewillresultintheparties’outcomesstubbornlyfailingtomatchtheirgoals.Inourview,thepersistenceoferror,andthehazardsofdeterminingintent,makes recourse to third-party decisionmakers inevitable. Transac-tionalscriptsarenot,andwillnotbe,self-executing,atleastnotallthetime.Atthatpoint,suchdecisionmakerswillbewell-advisedtolookattraditionalcontractprinciplestohelpresolvedisputes.
298. Cf.Sklaroff,supranote19,at283–84(“Agreementsthateffectivelyspecifyrel-evantcommercialcontextare...easiertoresolveonsummaryjudgement,reducingincentivestolitigate.”). 299. See generally EricTjongTjinTai,ForceMajeure andExcuses in Smart Con-tracts,26EUR.REV.PRIV.L.787,787(2018)(notingthatthemainadvantageofsmartcontractsisguaranteedperformanceduetotheabsenceofhumanandlegalinterven-tion). 300. Other partial solutions to the complexity tax involvemore exotic forms ofcryptographicproofs(suchasProof-of-Retrievabilityforstorage)thatcanreducere-dundancyandthuscosts.See,e.g.,AndrewMiller,AriJuels,ElaineShi,BryanParno&JonathanKatz,Permacoin:RepurposingBitcoinWorkforDataPreservation,2014IEEESYMP.ONSEC.&PRIV.(proposingamodificationtoBitcointhatrepurposesitsminingresourcestodistributestorageofarchivaldata).Theultimateefficacyandcommercialadoptionofsuchschemesremainsanopenquestion. 301. Cf. INT’L SWAPS&DERIVATIVESASS’N, supra note 204 (providing “high-levelguidanceonthe legaldocumentationandframeworkthatcurrentlygovernsderiva-tivestrading”).
388 MINNESOTALAWREVIEW [105:319
Ourapproachwouldbringscriptswithinthetraditionalworldofcontractlawthroughaconstitutivelegalact:thecompilationofacon-tractstack.Thissolutionisnotmerelyusefulforthecurrentformoftransactionalscript.Ithasrelevanceforothersortsofdigitalandal-gorithmiccontracting,whethernowcontemplatedoryettobeimag-ined.Codecancommunicateexecutoryintenttocontractandcanthusbethegristforlegalanalysis.But,becauseitisimperfect,code-medi-ated transactionswilloften fail toachievewhat theirpromisors in-tend,evenastheyaresurroundedbycommunicationsin“real” lan-guages,intendedtobereliedonbyrealpeople.Insuchcases,lawwillconfront—andmustsurmount—twotemptations:ignoringthecodealtogetherasamereinstrumentofperformanceorenforcingitasanexculpatoryclausewrittenincipheredtext.
Weargueforanalternativeapproach,whichfirst,claimstransac-tionalcode,commentary,andlogsasapartofthecontractualstack,capableofexpressingmeaningabout theparties’ intent.We’vealsodefinedahierarchyofmeaningthatsituatesnaturallanguagedisclo-suresaboveartificialones.Thecanonswe’veproposed,builtonanin-formedunderstandingof thecodingecosystem,predictablyenforcetheparties’reasonable,publiclycommunicated,intent,andwillforbidopportunisticexploitationofsubtleerrorsincoding.Theseoughttobethelaw’sgoalsincompilingcontractsexecutedonblockchains,aswellaswhateverformsofcodedexchangesthefuturedeliverstous.