Introduction

On 23 May 2025, Judge Arun Subramanian of the Southern District of New York granted Avraham Eisenberg’s Rule 29 motion following his Mango Markets conviction.¹ Eisenberg had been convicted by a jury in April 2024 on commodities fraud, commodities manipulation and wire fraud. The trial judge set aside all three counts. The ruling was not a general endorsement of “code is law”. It was narrower and more legally important. The commodities convictions failed because the government had not proved venue in the Southern District of New York. The wire-fraud count failed both because the government had not proved venue and because it had not proved a false statement or deceptive representation to the protocol. The decision exposes the difficulty of translating protocol-permitted conduct into conventional fraud doctrine, but it does not immunise manipulation as such. Federal prosecutors have appealed.¹

The decision crystallises a problem that courts across multiple jurisdictions are now confronting. Smart contracts execute autonomously. They do not interpret. They do not exercise discretion. They do what their code permits. When a participant exploits that code in ways the developers did not anticipate, the question of whether that conduct constitutes fraud depends on whether the protocol itself established the norms being violated. If the protocol is silent, the traditional elements of fraud may not be present. The implications for decentralised finance are practical, not theoretical and the case law emerging in 2024 and 2025 suggests that legal systems are absorbing programmable transactions into existing doctrinal frameworks rather than constructing new ones.

The emerging case law is not asking whether code is law. It is asking which layer of a decentralised system the law should treat as legally operative: the autonomous code, the governance machinery around it, or the human actors who designed, controlled and profited from both. The cases reviewed in this article divide across those three layers. Eisenberg concerns the autonomous code layer. Tornado Cash concerns the boundary between code and its human operators. Ooki DAO and the governance-exploit cases concern the human control layer. The Property (Digital Assets etc) Act 2025 provides the English-law proprietary framework within which disputes at all three layers may be resolved.

The Mango Markets Problem

The mechanics of Eisenberg’s scheme were straightforward in execution if complex in structure. In October 2022, he created two accounts on the Mango Markets platform. One account took a large long position in MNGO Perpetuals; the other took a corresponding short position. He then purchased MNGO tokens across multiple exchanges in sufficient volume to inflate the spot price. Because Mango Markets used an oracle feed drawing on those external exchange prices, the inflated spot price fed through to his perpetual position’s unrealised profit. That unrealised profit constituted collateral within the protocol. Against that inflated collateral, Eisenberg borrowed approximately $110 million in other tokens from the Mango Markets lending pools and withdrew them from the platform.¹

The scheme was public. Eisenberg identified himself on social media within days and described his actions as a “highly profitable trading strategy.” He offered to return a portion of the funds in exchange for an agreement not to pursue criminal prosecution, a negotiation conducted openly through on-chain governance proposals.

The legal question was precise: if a decentralised protocol has no rules prohibiting the conduct, is exploiting it fraud? The government’s theory had two strands. The commodities counts treated the oracle-driven price inflation as market manipulation. The wire-fraud count treated the borrowing as obtaining property by false pretences. The court separated them. It held that the commodities counts failed for want of venue. The wire-fraud count failed for want of venue and, independently, because the protocol had made no representation capable of being falsified and had no rule prohibiting the borrowing.¹

The appeal is pending before the Second Circuit. It will test how far venue doctrine and wire-fraud falsity constrain crypto-exploit prosecutions. It will not settle all DeFi liability. It will matter most where prosecutors seek to characterise protocol-permitted execution as deceit, rather than as manipulation, theft or unauthorised access.

Tornado Cash and the Limits of Sanctioning Code

On 26 November 2024, the Fifth Circuit held that the Office of Foreign Assets Control exceeded its statutory authority when it designated the immutable smart contracts of Tornado Cash under the International Emergency Economic Powers Act.² The court’s reasoning was direct. IEEPA permits the blocking of “property” in which a foreign national has an “interest”. Immutable smart contracts do not constitute property within that statutory meaning where no person owns, controls or can modify them. No person holds an ownership interest. No person exercises exclusion rights. The contracts exist on the Ethereum blockchain, executing their mixing function for anyone who interacts with them.

The Treasury Department declined to seek certiorari. On 21 March 2025, OFAC formally delisted the Tornado Cash smart contract addresses.³ The sanctions designation that had been in force since August 2022 was withdrawn.

Roman Storm’s prosecution shows the same distinction operating from the other direction. In August 2025, a jury convicted him of conspiracy to operate an unlicensed money-transmitting business but deadlocked on the money-laundering and sanctions-conspiracy counts.² The result sharpens the distinction drawn in Van Loon: immutable contracts may fall outside OFAC’s property-blocking power under IEEPA, but developers and operators remain exposed to conventional criminal theories where prosecutors can prove the necessary human conduct and mens rea. As of May 2026, prosecutors were seeking an October 2026 retrial on the two deadlocked counts, while Storm continued to pursue post-trial relief from the money-transmitting conviction.

Immutable smart contracts may fall outside a particular statutory mechanism, as Van Loon held under IEEPA. That does not make the wider protocol ecosystem legally neutral. Interfaces, developers, governance participants, relayers and entities that profit from or maintain the system remain capable of regulation or prosecution where ordinary statutory elements are satisfied. The separation of code from coder is becoming a central organising principle in this area.

DAO Liability and the Ooki DAO Precedent

In June 2023, the Commodity Futures Trading Commission obtained a default judgment against Ooki DAO in the Northern District of California.⁴ The court imposed a civil monetary penalty of $643,542 and a permanent trading and registration ban. The significance of the judgment lies not in the quantum but in the jurisdictional finding: the court held that Ooki DAO was an unincorporated association under California law and therefore was a “person” under the Commodity Exchange Act and could be sued, served and bound by judgment.⁴

The CFTC had served the DAO through a “help chat” box on its website and by posting the complaint in a governance forum, methods the court accepted as adequate under the circumstances. The DAO’s failure to appear (no individual took responsibility for instructing lawyers) produced the default. But the legal architecture the court constructed survives independently of the procedural posture. If a DAO is an unincorporated association, its members may bear joint and several liability for its obligations. The harder question is whether governance participation can translate into personal exposure. Ooki establishes that the DAO itself may be treated as an unincorporated association. It does not yet establish that every voting token holder is personally liable for the DAO’s regulatory violations.

Token-holder liability therefore remains the unresolved issue. No court has yet determined whether holding a governance token and voting on a proposal creates the degree of participation necessary to establish personal liability under unincorporated association principles. The question is live. Multiple enforcement actions against DAOs are proceeding in various jurisdictions and the Ooki DAO framework provides the template that regulators are deploying. For DeFi governance participants, the practical consequence is that voting on protocol proposals may create legal exposure that a purely passive token holding would not.

The Property (Digital Assets etc) Act 2025

The Property (Digital Assets etc) Act 2025 received Royal Assent on 2 December 2025.⁵ It contains one operative section, but the legal effect is material. The Act confirms that digital assets are capable of being personal property under English law notwithstanding that they are neither things in possession nor things in action. It gives statutory footing to the third-category analysis that the common law had been developing since 2019, while leaving the boundaries of that category to be worked out by the courts.

The Act’s intellectual foundations lie in the UK Law Commission’s 2023 final report on digital assets, which recommended statutory confirmation that digital assets could attract proprietary rights without fitting into either traditional category.⁶ The Law Commission’s draft bill followed in July 2024. Parliament enacted it with minimal amendment. The Law Commission’s ongoing project on digital assets and electronic trade documents in private international law, with a consultation paper published on 5 June 2025, extends this work into cross-border questions of applicable law and jurisdiction.⁷

The Act does not create an all-purpose law of digital assets. Its move is narrower and more useful. It confirms that an asset is not excluded from personal property rights merely because it is neither a thing in possession nor a thing in action. That statutory negative removes the threshold objection. The content of the rights, and the availability of proprietary remedies, remain questions for ordinary legal and equitable doctrine. Trust structures over crypto-assets rest on firmer ground. Security interests can in principle be structured over digital tokens, although the form and effectiveness of that security will still depend on the asset, the control arrangements and the applicable collateral regime. Interim injunctions freezing specific on-chain assets are available on conventional proprietary principles. The pre-existing case law (AA v Persons Unknown, Fetch.AI v Persons Unknown and others) had already extended these remedies, but the statutory foundation removes the doctrinal uncertainty that defendants were beginning to exploit in contested hearings.

The UK Jurisdiction Taskforce Legal Statement on cryptoassets and smart contracts, published in November 2019, was the catalyst for this legislative programme.⁸ Its conclusion, that cryptoassets were capable of being owned and that smart contracts were capable of giving rise to binding legal obligations, was influential precisely because it was produced by senior practitioners and academics rather than by government. The Law Commission work and the 2025 Act represent the legislative endorsement of those conclusions.

Smart contract enforceability under English law now rests on the interaction between the 2025 Act (confirming proprietary status), the existing law of contract (offer, acceptance, consideration, certainty of terms) and equitable principles (constructive trust, unjust enrichment, knowing receipt). English law has not created a new body of “smart contract law.” It has confirmed that existing principles apply to this new form of transaction.

Governance Exploits vs Code Exploits

An analytical distinction is emerging in the case law and enforcement practice between exploits that target smart contract code and exploits that target governance infrastructure surrounding that code. The distinction carries legal significance because the two categories engage different duties and different liability frameworks.

On 21 February 2025, the Bybit exchange lost approximately USD 1.4 billion in digital assets.⁹ The attack did not exploit any smart contract vulnerability. The attackers, subsequently attributed to the Lazarus Group (North Korea’s state-sponsored hacking operation), compromised the development machine of a Safe{Wallet} front-end developer. They altered the user interface that Bybit’s signatories used to approve transactions, causing the display to show a legitimate transaction while the underlying payload transferred assets to attacker-controlled addresses.⁹ This was an attack on human trust in a user interface, not on the mathematical guarantees of smart contract code.

In April 2026, two further large-scale exploits demonstrated the same pattern. On 1 April, the Drift Protocol lost approximately $285 million through a governance mechanism exploit.¹⁰ On 18 April, Kelp DAO lost approximately $292 million through a cross-chain verification and control-layer failure.¹¹ Neither attack required breaking cryptographic assumptions or exploiting coding errors in the core smart contracts. Both targeted the governance and administrative layers that sit above the autonomous code.

Public blockchain-incident datasets converge on the same direction of travel, even if their classifications differ. TRM reported USD 2.87 billion stolen across nearly 150 hacks and exploits in 2025. SlowMist-linked reporting put the figure at roughly 200 incidents and more than USD 2.9 billion.¹² The exact count matters less than the pattern: the largest losses are increasingly associated with compromised keys, wallets, interfaces and control planes, not only with defective smart contract code.

The legal significance is direct. A pure code exploit, where a trader uses a protocol exactly as its code permits in the manner Eisenberg did at Mango Markets, may not engage traditional fraud or theft doctrines if the protocol’s rules do not prohibit the conduct. A governance exploit is different. Where attackers compromise administrative keys, corrupt oracle feeds through infrastructure attacks or manipulate front-end interfaces, the conduct engages fiduciary duties owed by key holders, tortious liability for negligent security practices and potentially criminal liability for unauthorised computer access. Protocol developers who hold administrative keys may owe duties to depositors, depending on the control retained, the representations made and the structure through which user assets are held. Multisig signatories who fail to implement adequate operational security may face claims in negligence.¹² The emerging analytical framework treats the smart contract itself as neutral infrastructure and locates legal liability in the human decisions surrounding its deployment and governance.

Strategic Outlook

The “code is law” thesis occupies a difficult position in 2026. As a defence for individuals who exploit protocols according to their rules, it has had its most significant judicial outing in Eisenberg, though the acquittal rested on venue and sufficiency rather than a broad endorsement of the principle. As a shield against sanctions, it succeeded in Van Loon: immutable contracts cannot be treated as blockable property under IEEPA. But as a comprehensive theory of how decentralised systems interact with legal order, it is failing. Courts are not creating a new body of autonomous digital law. They are absorbing smart contracts into existing categories: property (the 2025 Act), unincorporated associations (Ooki DAO), fraud (Eisenberg, albeit unsuccessfully) and sanctions (Tornado Cash).

The United Kingdom is building statutory infrastructure systematically. The Property (Digital Assets etc) Act 2025 addresses the proprietary question.⁵ The Law Commission’s private international law project, with its June 2025 consultation paper, addresses the cross-border question.⁷ The Law Commission has already published its DAO scoping paper. That paper did not recommend a DAO-specific legal entity, but it identified areas where further work may be needed if Government wants to clarify DAO status and regulatory reach. The approach is incremental, doctrinally conservative and designed to slot digital assets into existing legal architecture rather than construct parallel systems.

The United States remains a jurisdictional patchwork. The Eisenberg acquittal turned on venue, a question specific to the Southern District of New York.¹ The Fifth Circuit’s Tornado Cash holding binds courts within that circuit and will be persuasive, but not controlling, elsewhere.² The CFTC’s theory in Ooki DAO that DAOs are unincorporated associations has not been tested in contested litigation.⁴ No federal legislation specifically addresses smart contract liability. Venue selection and circuit-specific precedent may determine outcomes more than any unified theory of smart contract law.

For practitioners advising participants in decentralised finance, whether protocol developers, governance token holders, institutional depositors or claimants pursuing stolen funds, the current landscape requires jurisdiction-specific analysis. The question is no longer whether smart contracts create legal obligations (they do, on conventional contractual principles where the elements are satisfied) but rather where liability attaches when autonomous systems produce outcomes their participants did not intend. The answer, increasingly, is that liability attaches not to the code but to the humans who designed it, deployed it, governed it and profited from it.

Notes

1. United States v Eisenberg, No. 23-cr-10 (SDNY), opinion of Judge Arun Subramanian, 23 May 2025; commodities counts (counts one and two) vacated for want of venue; judgment of acquittal on wire-fraud count (count three) for insufficient evidence of venue and failure to prove falsity or material misrepresentation; jury had convicted on commodities fraud, commodities manipulation and wire fraud in April 2024; appeal pending, Second Circuit No. 25-1782.

2. Van Loon v Department of the Treasury, No. 23-50669, United States Court of Appeals for the Fifth Circuit, 26 November 2024; Roman Storm, SDNY: convicted August 2025 of conspiracy to operate an unlicensed money-transmitting business; jury deadlocked on money-laundering and sanctions-conspiracy counts. Prosecutors sought an October 2026 retrial on the deadlocked counts; Storm’s post-trial Rule 29 motion remained part of the procedural posture in 2026.

3. Office of Foreign Assets Control, delisting of Tornado Cash smart contract addresses, 21 March 2025.

4. CFTC v Ooki DAO, No. 3:22-cv-05416, Northern District of California, default judgment June 2023, civil monetary penalty of $643,542 and permanent trading and registration ban.

5. Property (Digital Assets etc) Act 2025, c. 29, Royal Assent 2 December 2025.

6. UK Law Commission, ‘Digital Assets: Final Report’ (Law Com No. 412, 2023).

7. UK Law Commission, ‘Digital assets and electronic trade documents in private international law’ consultation paper, 5 June 2025.

8. UK Jurisdiction Taskforce, ‘Legal Statement on cryptoassets and smart contracts’, November 2019.

9. Bybit exchange exploit, 21 February 2025, approximately USD 1.4-1.5 billion depending on valuation date, stolen via compromised Safe{Wallet} developer machine; attributed to Lazarus Group (DPRK).

10. Drift Protocol governance exploit, approximately $285 million, 1 April 2026.

11. Kelp DAO governance exploit, approximately $292 million, 18 April 2026.

12. TRM Labs, 2026 Crypto Crime Report, reporting USD 2.87 billion stolen across nearly 150 hacks and exploits in 2025. SlowMist, 2025 Blockchain Security and AML Annual Report, reporting 200 security incidents and approximately USD 2.935 billion in losses. Travers Smith, ‘DeFi exploits, on-chain interventions, and the private key: recent developments in crypto asset recovery’, 30 April 2026.