The phrase “code is law” has come to symbolize a new era in technology, representing the belief that the rules embedded within blockchain smart contracts should be treated as the ultimate authority—unchangeable, impartial, and sovereign. James Craig and Louis Giles’ documentary Code Is Law explores the evolution, controversies, and legal ramifications surrounding this motto. Through a series of landmark case studies—most notably, The DAO hack of 2016, the Indexed Finance exploit in 2021, and the Mango Markets exploit in 2022—the film traces how a single slogan has shaped hacker cultures, ignited fierce legal debates, and forced courts and communities alike to reconsider the bounds between software and law.
The Genesis: The DAO Hack and the Birth of “Code is Law”
Blockchains promised technological neutrality, but that premise was first challenged in 2016 when “The DAO,” a decentralized autonomous organization built on Ethereum, suffered a catastrophic exploit. In the early days, smart contracts were still experimental—millions of dollars in ether surged into The DAO driven by a vision to encode a new legal and managerial order into self-executing code. According to Griff Green, one of the original DAO members, the project represented an attempt to build a legal structure enforced purely by software logic rather than human mediation. Fabian Vogelsteller, another early participant, pointed out a fundamental flaw: while immutable rules can create unstoppable and unowned systems, they also leave no avenue for intervention or repair if the system is broken.
Green described the environment as full of amateur auditors. “We had everyone looking at these contracts,” he reminisced. “But no one had any formal training in smart contract audits because there were no smart contracts to audit.” Almost inevitably, flaws emerged. The infamous exploit drained The DAO’s coffers and led to Ethereum’s only truly contentious hard fork—a critical juncture that split the blockchain into two, giving rise to Ethereum and Ethereum Classic.
This hack was not just a technical event but a philosophical crisis for the “code is law” ideology. The community was forced to ask: Should code, with all its imperfections, be the sole arbiter? Or does society retain a higher claim when millions are lost? The aftermath of The DAO proved that even in the world of programmable trust, the real world’s messiness and dissent were never far beneath the surface.
Courtrooms versus Code: Legal Systems Push Back
Although “code is law” became a powerful slogan within the blockchain space, it was always searching for legal legitimacy. As protocols accumulated vast amounts of total locked value (TVL) and users experienced huge losses, courts worldwide consistently dismissed the notion that computer code could supplant traditional legal structures.
Legal experts have repeatedly reinforced this boundary. Timothy Spangler, a prominent crypto lawyer, summarized the prevailing legal view succinctly: “Code isn’t law, code is code. Law applies to any sort of transaction, and the purpose of law is about shifting losses from where they fall to some other party.” In practice, when major losses occur, litigation inevitably follows.
This transition from digital abstraction to legal reality crystallized in 2021 and 2022 with the Indexed Finance hack. The project was compromised by Canadian prodigy Andean Medjedovic, whose manipulation of on-chain systems enabled him to extract millions. Laurence Day, co-founder of Indexed Finance, publicly labeled “code is law” as dystopian. The Ontario courts agreed, issuing extraordinary remedies and defining the exploit as theft—a legal treatment that diverged sharply from hacker culture’s embrace of code-based order.
Further legal actions in the U.S. followed, as prosecutors brought charges connected with multiple DeFi exploits, cumulatively worth more than $65 million. These court responses drew a hard line in the sand: permissionless financial software is not exempt from established understandings of property, fraud, and theft.
Despite fleeing authorities, Medjedovic was never able to enjoy his loot—ironically, another hacker subsequently drained his gains via the “Profanity breach.” As noted by Day, this cycle of theft and counter-theft highlights a strange new world where even the spoils of digital heists are at constant risk of further exploitation and, for victims, recovery of lost funds grows ever more remote.
Morality Plays in Smart Contract Exploits: Beyond Black and White
Code Is Law devotes significant attention to the dynamic interplay between attackers, everyday users, and the emerging class of white-hat hackers. The Euler hack of 2023, also featured in the film, revealed that not all exploiters are irredeemably malicious. In that case, pressure from community members and negotiation ultimately persuaded the hacker to return almost all stolen funds, joining a growing list of incidents in which human trust and collaboration, rather than infallible code, facilitate real solutions.
Time and again, DeFi’s chaotic experiments have exposed the gap between theoretical governance by code and the actual requirements of complex, high-stakes financial systems. The formation of white-hat “war rooms”—teams working urgently to secure, recover, and mitigate damage in the wake of an exploit—demonstrates that social trust and rapid coordination retain vital, practical significance even amid so-called disintermediation.
The Mango Markets Incident: Legal Ambiguity Deepens
Perhaps no case illustrates the collision of digital and legal order more dramatically than the Mango Markets saga of 2022. Avraham Eisenberg infamously leveraged a vulnerability in the protocol, executing a massive trade that many considered outright manipulation while he claimed it was simply a clever use of available code. Authorities responded with criminal fraud charges.
Yet, the legal process did not provide an easy resolution. In May 2025, a federal judge vacated Eisenberg’s criminal convictions, finding that prosecutors had failed to prove intent to defraud beyond reasonable doubt. While supporters of the “code is law” philosophy celebrated, the judge’s decision did not endorse unfettered on-chain exploits—it simply rested on the specifics of the case and the nature of the evidence presented.
The Mango Markets decision highlights the considerable uncertainty that still surrounds smart contract exploits. Where does “aggressive trading” end and criminal fraud begin? How far can adversarial actors push protocol boundaries before crossing into illegality? The answers remain as muddied as ever, with much depending on evidence, context, and evolving legal standards.
Whitehats, Blackhats, and the “Wild West” of DeFi
The landscape of decentralized finance exploits is often likened to the American frontier—brave, unregulated, and perilous. As Dr. Paul Dylan-Ennis noted in his research, the constant technological arms race between blackhat (malicious) and whitehat (benevolent) hackers resembles the duel between outlaws and sheriffs in the Old West. Both groups operate on the edge of legality, united only by their skepticism of the “establishment”—here, the regulators and courts seeking to impose order.
Yet, trends in recent years indicate the scale and severity of exploits have moderated somewhat, in part because of the increasing sophistication of white-hat security teams and the advent of more robust coordination tools. Recovery missions have successfully clawed back hundreds of millions of dollars in user funds, providing a counter-narrative to the notion that “code is law” is a viable replacement for trust, reputation, and social collaboration.
Nevertheless, the very open and permissionless nature of DeFi continues to invite malicious behavior. As long as incentives remain for exploiting weak points in code, adversaries will continue to test the limits of these systems, reminding everyone that purely technological solutions inevitably intersect with human fallibility and moral ambiguity.
The Broader Lessons: Limits and Potentials of “Code is Law”
What is ultimately at stake in the ongoing debate over “code is law” is not simply who wins a particular heist or court case, but how society will govern powerful, autonomous financial software in the decades to come. The history of blockchain exploits reviewed in Code Is Law demonstrates that while code-based systems offer opportunities for transparency, automation, and neutrality, they cannot eliminate the need for human judgment, resilience, and recourse.
Those who believe “code is law” should understand that courts and regulators are unlikely to ever fully defer to machine logic when vast sums, livelihoods, and reputations are at stake. At best, the phrase symbolizes the aspirations of a new technological order—one that values defense-in-depth, precision, and self-enforcing rules. In reality, it serves as a constant reminder of the tension between immutable code and mutable justice.
Looking forward, the challenge will be to integrate these two worlds: to build technologies that are robust but adaptable, transparent but empathetic, and to encourage the growth of communities that can react swiftly and decently when things go wrong. The next chapter will see legal doctrines and engineering philosophies continue to evolve together, shaping the future of decentralized finance.
Conclusion: Code Cannot Be the Only Law
The story of “code is law” in the crypto space is a story of high hopes colliding with harsh realities. From the original DAO hack to the legal battles over Mango Markets and Indexed Finance, it has become clear that software, no matter how ingenious, operates within a world that remains deeply human—full of imperfection, disagreement, and change. Code Is Law serves as a vital chronicle of this journey, highlighting the enduring need to balance technical autonomy with legal accountability, and offering vital lessons for builders, users, and regulators alike.
