Case of ‘Stolen’ ICX Raises Moral Questions



  • A U.S. federal judge has ruled it’s worth looking into whether a guy who “stole” 14 million ICX by exploiting some flawed code is entitled to the crypto-money.
  • Code may be law, but people write the code, so human error and other “people problems” will continue.
  • Regulation of the industry might help. “Might” being the operative word.

The U.S. legal news website Law360 recently reported that a U.S. federal judge in California has ruled that a “cryptocurrency enthusiast” who took advantage of a bug in ICON’s code to “mint millions of tokens” can pursue claims he is entitled to the tokens.

Making 14 million ICX the questionable way.

Quoting court filings, Law360 says the enthusiast in question, Mark Shin, used a bug he discovered in the ICON Network’s code after an update to mint 14 million new ICX tokens, many of which he transferred to exchanges Kraken and Binance.

According to the case text — which has a ton of info on the incident — this took place in August of 2020.

Though Shin admitted this may not have been what the update’s developers intended to happen, he claims the code changes had been agreed to and adopted. So in his view, he was the rightful owner of the newly minted tokens.

ICON begged to differ. From Law360:

“ICON disagreed, and the organization asked Binance and Kraken to have Shin’s accounts frozen, saying he had attacked the network, Shin alleges. ICON later proposed an update, dubbed the Revision 10 Proposal, to correct the bug that Shin had exploited.

Shin alleges that these actions fly in the face of ICON’s claim of “decentralized” governance. ICON’s actions also wrongly interfered with his alleged ownership rights over the tokens, Shin argued.

He claims conversion and trespass to chattel for the tokens frozen in his ICON wallet and frozen in his accounts with the outside cryptocurrency exchanges. His allegations are good enough to move forward, Judge Orrick said.”

To be clear, the federal judge didn’t rule Shin was right. It simply said Shin’s claim shouldn’t be dismissed.

Meanwhile, district attorneys in the state of Colorado have apparently sued Shin for alleged cybercrime, theft and money laundering in connection to the ICX minting, accusing him of “unlawfully, feloniously and knowingly” committing theft by exercising control over the tokens.

The original Law360 article is behind a paywall, but the good people at ICONkr have posted it, along with a Korean translation (the translation comes first, so scroll down for the English).

Human error in a trustless environment

The incident sheds light on old questions that have been with us almost as long as there has been blockchain. Blockchain might aim to reduce dependence on human fallibilities by creating trustless environments, but that effort may have its limits. Writing about the infamous DAO heist of 2016, WIRED wrote:

“The DAO is built on Ethereum, a system designed for building decentralized applications. Its creators hoped to prove you can build a more democratic financial institution, one without centralized control or human fallibility. Instead, the DAO led to a heist that raises philosophical questions about the viability of such systems. Code was supposed to eliminate the need to trust humans. But humans, it turns out, are tough to take out of the equation.

The DAO is a piece of software known as a ‘smart contract’—essentially an agreement that enforces itself via code rather than courts. But like all software, smart contracts do exactly what their makers program them to do—and sometimes those programs have unintended consequences.”

Though press reports frequently describe such cases as “hacks,” making code do what it was programmed to do may not even constitute “hacking,” moral questions notwithstanding.

Regulations to the rescue?

DeFi platforms have been the target of several recent “hacks,” including the theft of USD 600 from Poly Network.

CNBC gives some advice to potential DeFi investors on minimizing their exposure to such incidents. But more interestingly, perhaps, it also points to regulation as a potential solution:

“nlike with a traditional bank, there is no regulation or insurance on your money when you use DeFi.

But, there is potential for more regulation, especially in the U.S., which could be helpful in making it safer to use.

While the crypto industry still has a long way to go to address the security gaps, as demonstrated by numerous hacks and rug pulls, we expect this type of illicit behavior to decrease as the industry moves increasingly toward regulation,’ says Timo Lehes, co-founder of DeFi protocol Swarm Markets.”

Of course, one could argue that government regulation hasn’t prevented actors from taking morally dubious advantage of loopholes in traditional financial and tax systems around the world.

One might also wonder how lawmakers and regulators are going to properly regulate a technology even industry insiders seem to have a difficult time understanding in full.

Still, baby steps…