23.06.22
Ghost in the shell game
Dishonesty, decentralised finance, and theft on the blockchain
On 14 October 2021, Andean “Andy” Medjedovic, an 18-year-old graduate student from Canada managed to extract US$16m-worth of cryptoassets from a decentralised finance protocol Indexed, through an exploit (a software tool designed to take advantage of a flaw in a computer system). Mr Medjedovic, however, maintains that he simply took advantage of a “mispricing opportunity” arising from a weakness in the code – that he had effectively done nothing but pursue an effective trading strategy. The case raises interesting questions for the world of decentralised finance, but also in relation to dishonesty generally, as, while this case is not likely to ever be considered under English law, there are certainly parallels to be drawn with Ivey v Genting Casinos UK Ltd (t/a Crockfords Club), 2017 UKSC 67.
“DeFi”nitely maybe?
Decentralised finance (“DeFi”) uses cryptocurrency (and blockchain technology in general) to manage transactions and provide financial services via “protocols”. Consider a ‘traditional’ savings account: you save your money with the bank and the bank gives you an interest rate of 1.5%. The bank then lends your money out to other customers and charges an interest rate of 4% - pocketing the 2.5% difference between the rates. A theoretical DeFi savings account protocol would allow you to bypass the bank entirely, giving you the full 4% interest on your funds.
Advocates suggest that DeFi gives individuals direct access to more secure and transparent financial services, with greater control over one’s own wealth than in the centrally-controlled financial systems of the past.
However, as with all things crypto-, there is currently a dearth of regulation, meaning no recourse if vital details are forgotten or lost, absolutely zero consumer protection, and hackers and scammers remain a constant threat.
Jack Bogle meets Neuromancer
Indexed is a DeFi protocol that acts like a traditional index fund, but for cryptoassets on the Ethereum blockchain. Much like how, in conventional financial markets, an index fund gives an investor a way to purchase and maintain a diverse portfolio of stocks while outsourcing much of the grunt work to a portfolio manager, Indexed allows investors the opportunity to buy one cryptoasset which represents a “pool” of other cryptoassets.
The key difference with Indexed is that the “pool” is not maintained or managed by a human being. Instead, a sophisticated algorithm automates the process of rebalancing the proportion of items in the “pool” by buying and selling cryptoassets according to rules decided in advance by its developers. These rules are referred to as “smart contracts” and a very basic, and hypothetical, example would be “If the total value of Bitcoin held in the pool is above £10,000, sell Bitcoin until the total value is equal to £10,000.” Unlike regular contracts, however, smart contracts cannot be halted or amended – once they become part of the blockchain and start operating, they are there forever and will operate whenever their conditions are met.
After debuting in December 2020, Indexed exploded in popularity, becoming the second biggest index-protocol by value on the Ethereum blockchain. By fully automating the process and cutting human beings out entirely, Indexed were able to offer their “index tokens” to investors with zero management fees – the ultimate in passive funds and, ironically, were positioned as a lower-risk investment vehicle in the cryptospace, prior to the incident.
The man, the maths, and the “mispricing opportunity”
Andy Medjedovic was researching and writing his Master’s thesis on the mathematics of random matrix theory at the time that Indexed first began operating. Medjedovic also regularly participated in online hacking and coding competitions and had become interested in the algorithms that allow DeFi protocols to operate, writing bots that would explore the profitability of different trading strategies.
Medjedovic read about Indexed on a forum and was immediately interested. As the code behind DeFi projects is stored on the block chain and is therefore publicly accessible, Medjedovic was able to review the smart contracts at the heart of Indexed. He realised that there was a potential strategy that he could exploit to generate huge profits through the Indexed protocol. This was Medjedovic’s “mispricing opportunity”.
Flash loans are not forever
While the strategy was exceptionally complex, broadly Medjedovic’s code took advantage of a DeFi staple, “flash loans” (extremely short-term loans of cryptoassets), to execute hundreds of trades with borrowed funds with the aim of artificially deflating the value of the Indexed “pool” tokens. The code then bought these tokens at their discounted rate, transferred them to a separate Ethereum wallet, and then paid back the flash loans.
In total, Medjedovic took out approximately $160m-worth of flash loans and was left with, at the time, $11.9m-worth of Indexed tokens. All he had to pay were the fees for taking out the flash loans, totalling approximately $11,000. Notably, Medjedovic would have had to have paid these fees whether or not he was successful – he maintains he took on significant risk in pursuing the strategy he did.
The Ivey connection
Medjedovic’s position echoes that of Mr Ivey, as considered in Ivey. Mr Ivey, a professional gambler, won approximately £7.7m from a casino by “deploy[ing] a highly specialist technique called edge-sorting which had the effect of greatly improving his chances of winning”. Effectively, Ivey realised that the pattern on the back of the cards, used by the casino for games of punto banco, was not quite perfectly symmetrical due to the manufacturing process. Ivey was therefore able to, with the assistance of another professional gambler, track cards across hands and generate an advantage. The second part of Mr Ivey’s strategy was to convince the casino’s employees that he was superstitious (which was not a hard task, as many gamblers actually are) and to make requests, which seemed initially innocuous, but that assisted with the tracking. Once he started winning, for example, Ivey requested that they keep playing with the same set of decks. The casino only realised that Ivey had deployed these techniques after bringing in an expert from Las Vegas to review the CCTV footage of Ivey’s games – they subsequently refused to pay Ivey the winnings.
At trial, Ivey freely admitted that he had deployed edge-sorting and denied that doing so amounted to cheating – he saw a vulnerability in the casino’s set-up and took advantage of it to tilt the odds in his favour. Ivey’s strategy was not risk-free, his initial stake consisted of £1m of his own money, and the judge found that Ivey genuinely believed that he had acted honestly.
However, in a move that overruled the previous two leg test for dishonesty established in R. v Ghosh (Deb Baram) [1982] Q.B. 1053, the Court in Ivey found that what Mr Ivey believed did not matter. The only relevant concern for whether a course of action was dishonest was an objective test of whether ordinary reasonable and honest people would consider it dishonest. Mr Ivey’s strategy was found to be dishonest under this new formulation and he consequently lost his case.
Canadian litigation
Returning to Mr Medjedovic’s position, he has subsequently been sued for fraud by both the creators of Indexed and by Cicada 137 LLC (a Delaware-registered company that anonymously represents the largest holder of Indexed tokens that were lost at the time of Medjedovic’s trades).
The DeFi community are not entirely supportive of the suits filed against Medjedovic, either. Given many of the members’ ideological commitment to the principles of decentralisation, having prominent members attempt to resolve their issues in the centralised institution of a court certainly rankles – the irony is practically palpable.
Questions for our courts
It is not clear at this point whether Mr Medjedovic has instructed legal representatives to assist with his defence, given that it has been reported he is on the run. Nevertheless, it is worth contrasting Medjedovic’s position with that of Ivey as it is probably only a matter of time before the Courts of England and Wales are asked to consider similar issues – given both the global nature of the DeFi and crypto spaces generally, and the seeming ubiquity of exploits.
In Ivey, there was an entity towards whom Mr Ivey acted dishonestly, the casino. In an even more granular way, he acted dishonestly towards the individual dealers, croupiers, and other staff at the casino during the incident in question. In Medjedovic’s case, it is not necessarily immediately clear to whom he acted dishonestly. Given that Indexed is a DeFi protocol (as we discussed earlier), did Medjedovic act dishonestly towards what is effectively a sophisticated machine? Can one act dishonestly towards a machine?
In Ivey, one could argue that Mr Ivey obtained his advantage by exploiting factors external to the rules of punto banco – the edge-sorting. Edge-sorting is not mentioned anywhere in any hypothetical punto banco rulebook. Mr Ivey’s defence was that, effectively, the whole casino set-up was the game that he was playing and the casino failed to see that, meaning that he “won”. In Medjedovic’s case, there could be no factors external to the “rules” of the Indexed protocol: the “rules” were smart contracts that are immutably part of the blockchain. In effect, every move he made was permissible by the explicit “rules” of the Indexed protocol – to do otherwise was impossible.
In contrast to the circumstances in Ivey, Indexed’s creators are alleging that Medjedovic engaged in a form of market manipulation by artificially deflating the value of the tokens as part of his strategy. While DeFi and crypto remain and an unregulated space, it is difficult to see how, even hypothetically, this argument could amount to much, given that various financial agencies (including the SEC, FCA, and the CSA in Canada) have all stated that their current rules against market manipulation do not apply to cryptocurrencies at present. Of course, in theory, the courts could take a different view.
Finally, and in a broader sense, the relationship between information asymmetry and dishonesty, needs to be considered. In both cases, Ivey and Medjedovic knew something that the other side did not. Both men then used this asymmetry to their advantage. How are these situations different from a trader that, through thorough analysis of proprietary data, realises that shares in a particular company are overvalued, and then generates a significant profit by shorting them? Or, in a more pejorative example, those in the financial industry that sold their positions ahead of the 2008 crash, based on information that had not been released to the public? What would an ordinary reasonable and honest person made of Medjedovic’s complex financial coding?
If you been a victim of a decentralised finance hack or your trading platform has refused to place your trades or pay your funds out, send us an email, complete our online enquiry form or call us on 020 3811 2793
Legal Disclaimer
Articles are intended as an introduction to the topic and do not constitute legal advice.