“Code Is Law”: harmful myth or workable concept?

In the crypto industry, the Code Is Law principle is seen by many as foundational. According to the concept proposed by activist Lawrence Lessig back in 1999, applied to blockchain, autonomously running smart‑contract code defines the essence of the deal, the rules of its execution and the relationship between the parties. If it permits something, it is lawful. 

In a column for ForkLog, lawyer and partner at Aurum, Sergey Ostrovsky, examines Code Is Law, compares smart contracts with traditional contracts, and offers several recommendations for using the concept in practice.

The key catch  

The Code Is Law concept asserts the supremacy of code: whatever is written in code is correct and paramount, regardless of other circumstances. Once deployed, the code runs autonomously and executes a deal according to predefined conditions. No intermediaries, courts or manual intervention—just pure autonomous logic.

But here is the key catch: although it may govern the execution of transactions, code does not exist in a legal vacuum. On the contrary, conventional law and legislation continue to apply; they regulate blockchain transactions and even take precedence over code.

A simple example. Imagine you are a skilled hacker who spots a vulnerability in a blockchain protocol. The code has a hole, and you use it to drain millions. You think: “If the code permitted this transaction, then it is legal.” What you see as a clever move, the law is likely to treat as theft or fraud.

Smart contracts and traditional contracts

To see how smart contracts fit into classic legal systems, compare them with traditional agreements.

Key differences

In traditional contracts, the parties’ intentions are central. Courts attach great weight to what the parties agreed and how they interpret their agreement. A court can establish the circumstances of the deal, the parties’ intentions and expectations, interpret unclear terms and even modify a contract, for example in light of unforeseen events.

Smart contracts lack such flexibility. They execute automatically based on predefined logic, often leaving no room for interpretation or change. If an error or unforeseen event occurs, the smart contract will perform according to its original parameters, which can lead to unfair or unintended outcomes.

Interpretation and the parties’ intentions

In practice, the parties’ intentions and their actual agreement carry significant legal weight. If a smart‑contract dispute reaches court, the court will first determine the parties’ actual agreement and real intentions to establish the substance of the deal, rather than relying on automatic logic.

Courts may intervene if strict execution of code leads to unjust outcomes, for example in cases of fraud, mistake or unforeseen circumstances. If a smart contract allowed an unintended result or an unfair outcome in a deal, a court may give preference to the parties’ original intentions, even if that completely ignores the logic of the smart contract. 

Thus, from a legal standpoint, a contract is not only “what is written” but also the parties’ intentions, their expectations, the circumstances of the agreement and the broader context of the deal. A smart contract does not include these elements; it merely handles execution.

Why “Code Is Law” cannot be absolute

The debate over Code Is Law touches deeper philosophical questions, notably the clash between legal positivism and natural law. Positivism holds that laws are human‑made rules enforced by institutions: courts, regulators and legislatures. Laws are written, interpreted and applied by people, allowing for flexibility and adaptation to achieve fair outcomes. Natural law, by contrast, suggests certain laws are innate and universal, akin to laws of nature.

Code Is Law aligns more with natural law. It treats code as an immutable set of rules governing behaviour without human intervention. Modern legal systems, however, are grounded in positivism. That means human‑made law takes precedence over self‑executing code. In practice, the law prevails—that is the rule of law. 

Governments are actively regulating blockchain and cryptocurrencies, creating special legal regimes and seeking to integrate Web3 into existing legal systems. Crypto deals—and the people behind them—operate under laws, and their transactions are governed by law. Without legal recognition, rules encoded in software lack legal force.

If code is law, why are exploits and hacks illegal?

As noted, a vulnerability in code does not grant users a legal right to exploit it. The fact that code allows a particular action does not make it lawful or ethically acceptable. Code is not absolute and, legally, it yields to both the law and the parties’ agreement. The lawfulness of any action will therefore be determined first by law and agreements, and only then by code. 

The widely used principle of “substance over form” holds that the reality and essence of relationships matter more than their formal presentation. A smart contract is the form of a transaction; the parties’ agreement and intentions are its substance.

Accordingly, exploiting a smart‑contract vulnerability may be treated as unauthorised access or hacking. Profiting from an exploit may be qualified as fraud or theft. Victims can sue and involve law‑enforcement agencies, potentially leading to serious legal consequences.

Suppose someone uses a vulnerability in your DeFi protocol to appropriate funds. Hackers may claim that “Code Is Law” and they merely followed rules embedded in code. Legal systems, however, will likely see it as a kind of bank robbery, underscoring the primacy of legal norms over code.

The DAO case

In 2016, The DAO—the original DAO—raised more than $150 million in Ethereum, aiming to revolutionise venture investing via smart contracts. A hacker exploited a vulnerability and siphoned over $60 million from the protocol. 

This created a dilemma. On the one hand, the code permitted the exploit and, technically, the hacker followed the established rules. On the other, ethically, the act is seen as theft. So was the withdrawal legitimate, or was it a crime?

Some argued in the hacker’s defence that, since the code allowed the exploit, it was lawful within the system’s rules. The broader Ethereum community, however, regarded it as theft and opted for a contentious hard fork, rolling the chain back to its pre‑attack state.

How to use “Code Is Law” in practice?

Three ways crypto businesses and Web3 projects can apply Code Is Law in practice.

Use hybrid structures

Code alone is not enough: however powerful, smart contracts must fit within existing legal frameworks. To bridge the gap, use a hybrid model in which the smart contract governs execution of the transaction, while legal instruments govern the broader context—legal characterisation, terms and the parties’ intentions.

Many crypto projects already use hybrid structures, often without noticing. One example is token distribution during a private sale. Smart contracts typically handle the processing—the movement of assets—while a legal agreement governs the deal, setting intentions and obligations.

Implement emergency mechanisms

Immutability is a key limitation of smart contracts. A security advantage can quickly become a problem when errors or unforeseen situations arise. To address this, include emergency mechanisms that allow intervention in exceptional cases without undermining decentralisation—for example, kill switches or governance models that can pause transactions or amend a smart contract in the event of an exploit or material bug.

Ensure compliance with the law

Despite the appeal of the “Code Is Law” philosophy, compliance remains vital. As governments and regulators worldwide roll out new rules, Web3 projects should pay close attention to regulatory strategy and compliance. 

In conclusion

Code Is Law is an elegant concept, but in reality code and smart contracts cannot exist in isolation from the law. Law will always trump the contract, and the contract will trump code. Be proactive and use hybrid structures in which the legal instrument governs the deal and code executes it. Ultimately, law complements and strengthens innovation when used well.