Is code *REALLY* law though? — A breakdown of one of DeFi’s biggest debates

Is code *REALLY* law though? — A breakdown of one of DeFi’s biggest debates

Jen Albert

Jen Albert

Mar 12, 2025

Mar 12, 2025

Is code *REALLY* law though? — A breakdown of one of DeFi’s biggest debates cryptocurrency crypto blockchain defi decentralized finance decentralization regulatation SEC
Is code *REALLY* law though? — A breakdown of one of DeFi’s biggest debates cryptocurrency crypto blockchain defi decentralized finance decentralization regulatation SEC
Is code *REALLY* law though? — A breakdown of one of DeFi’s biggest debates cryptocurrency crypto blockchain defi decentralized finance decentralization regulatation SEC

In this episode of Blockchain Banter, I sat down with Glenn from Bancor and 21 from Paw Chain to tackle one of the most debated topics in DeFi: Is code really law?


We often hear the phrase thrown around, but what does it truly mean? And more importantly, does it hold up? As we dove into the discussion, it became clear that this isn’t a simple yes-or-no question. There are nuances, gray areas, and conflicting interpretations– especially when legal frameworks, decentralization, and user accountability come into play.




What Does “Code is Law” Actually Mean?

The idea behind code is law is that smart contracts dictate outcomes, removing intermediaries and human intervention. Whatever is written into the code should be final— executed as intended, without external interference.


But here’s where it gets tricky:
  • Smart contracts are built by people. And people make mistakes. Bugs, exploits, and unintended behaviors can occur, raising the question –should these be corrected, or should the immutable code stand?


  • Legal systems don’t recognize blockchain code as “law.” While DeFi protocols operate in a “trustless” environment, governments and regulators still enforce legal standards. So, if an exploit happens, is the attacker simply using the system as intended, or are they committing fraud?


  • Decentralization vs. Intervention. If a protocol steps in to reverse an exploit, does that violate decentralization principles? Or is it necessary to protect users?




Two Perspectives: Is Code Really Law?

21’s View: Code is law, but human oversight is necessary.


“I believe in decentralization, but we have to acknowledge that humans are still part of the equation. Smart contracts don’t exist in a vacuum–developers build them, and users interact with them. We need to find a balance between automation and accountability.”


He pointed out that true decentralization was meant to bring balance back to a system people no longer trusted. But if DeFi completely removes human oversight, are we really achieving balance — or just shifting power in a different way?


Glenn’s View: Code is not law — legal frameworks still apply.




“Ideally, we’d love for DeFi to be governed purely by smart contracts, but in reality, governments don’t recognize code as the law. When things go wrong, it’s not the smart contract that determines legality — it’s the real-world legal system.”


We pointed to the Mango Markets exploit, where an attacker manipulated a protocol’s price oracle to drain over $100 million, claiming it was a “profitable trading strategy.” Yet, legal authorities saw it as market manipulation, and the attacker now faces charges.


The takeaway?

While code is law might be a guiding principle in DeFi, it doesn’t necessarily align with how jurisdictions enforce regulations.



U.S. Securities and Exchange Commission Press Release Jan. 20, 2023 https://www.sec.gov/newsroom/press-releases/2023-13




The Case for Immutability — Does It Strengthen or Weaken “Code is Law”?

Immutability — the idea that once a smart contract is deployed, it cannot be changed — is often seen as a pillar of DeFi security. But is it always beneficial?


Pros of Immutability:

  • Prevents centralized control and tampering.


  • Ensures protocols remain as originally deployed.


  • Enhances trust in decentralized finance.


Cons of Immutability:

  • Protocols cannot adapt or evolve post-deployment.


  • Users may be left vulnerable to security risks.


  • If an exploit is found, it cannot be patched.


As Glenn pointed out, many developers aim for immutability, but it’s a progression, not an immediate standard. Most protocols start with upgradeable contracts, then transition to immutability once battle-tested.


But what happens when an immutable contract has a major vulnerability? That leads to another challenge — who is responsible when things go wrong?




Who Takes the Blame?

This sparked one of the most thought-provoking discussions of the call. If code is law and an exploit happens, who is at fault?


Is it the developers? They wrote the smart contract, so should they be held accountable for any vulnerabilities?


Is it the users? Should they be expected to fully understand the risks of interacting with DeFi protocols? At least enough to take responsibility if there’s a loss of funds?


Is it just the nature of decentralized finance? If there’s no centralized authority, maybe there’s simply no one to blame?


Glenn and 21 both agreed that above all, intent matters. If a developer introduces a malicious contract designed to steal funds, that’s fraud. But if an unforeseen bug causes a failure, it’s not fair to equate that with criminal intent.




Intent makes sense. But what about Tornado Cash?

While Tornado Cash was initially developed to enhance privacy in cryptocurrency transactions, it became a focal point in legal and regulatory actions due to its misuse in illicit activities.


In August 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash, alleging it had been used to launder over $7 billion in cryptocurrency since its inception in 2019, including $455 million stolen by the North Korean-linked Lazarus Group– the same group currently cashing out hundreds of millions from the recent $1.5 billion ByBit hack.


U.S. Department of the Treasury Press Release “U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash” https://home.treasury.gov/news/press-releases/jy0916



This raises a critical question: If a tool is designed with good intent but is later used for illicit activities, should the responsibility fall on its creators? Or does decentralized technology remove that burden entirely?


It fell on its creators, until it didn’t. See Court overturns US sanctions against cryptocurrency mixer Tornado Cash.


21 argued that the entire industry needs to take responsibility — not just developers. He emphasized that while DeFi is supposed to be trustless, the reality is that users don’t have enough educational resources to navigate it safely.


“We scream ‘DYOR’ (Do Your Own Research), but what are we actually doing to educate users? Most of the time, it’s just a disclaimer to cover our own butts. We should be teaching people how to use scanners, analyze smart contracts, and assess risks instead of just telling them to DYOR.”




The Legal Gray Area — Should Protocols Step In?

One of the biggest questions in DeFi is whether projects should intervene when malicious activity occurs.

  • 21 suggested that projects should have accountability measures in place.


  • Glenn countered that intervention contradicts the very nature of DeFi.


The reality? There’s no universal standard. Each protocol makes its own decisions based on legal risks, moral considerations, technical capabilities, and its DAO (decentralized autonomous organization)– if it’s governed by one.



What About KYC?

We closed the discussion with a final controversial question: Should KYC (Know Your Customer) be mandatory in DeFi?

21 took a strong stance in favor of KYC, stating:


“Mass adoption won’t happen if billion-dollar companies have to trust a Twitter account with a PFP. If we want to onboard institutions, we need real identity verification.”


Glenn saw both sides, acknowledging that KYC can increase trust while also recognizing that true DeFi purists will always push back against identity requirements. He sees the industry is moving toward a model where both can coexist, giving users the choice of how much anonymity they want.





Final Thoughts

Is code really law?


Technically? Yes, smart contracts execute exactly as written.
Legally? No, governments still enforce real-world laws.
Practically? It depends on the protocol.


Check out the recording below and tell me what you think. Should code be law? Should DeFi projects intervene?


https://x.com/i/broadcasts/1mrxmPdpmjgJy



Blockchain Banter

Blockchain Banter is a live, unscripted discussion series where industry experts, builders, and thought leaders come together to share knowledge, challenge ideas, and explore the evolving landscape of DeFi and blockchain. Tune in weekly to join the discussion!


🎙️ Follow me on X at x.com/Here2DeFi and tune in weekly:

Tuesday Trading at 3PM UTC

Wednesday Debates at 3PM UTC



Presented by Bancor

Bancor has always been at the forefront of DeFi innovation, beginning in 2016 with the invention of the Constant Product Automated Market Maker and “pool tokens” — which still remain extensively used across the industry. The newest inventions powering Carbon DeFi and Arb Fast Lane substantiate Bancor’s deep commitment to delivering excellence, advancing the industry, and pushing the boundaries of what is possible in the world of decentralized finance. For more information, please visit www.bancor.network.

Share on social

Alpha! Alpha!
Read all about it!

Alpha! Alpha!
Read all about it!

Subscribe for the latest updates on Carbon DeFi

Subscribe for the latest updates on Carbon DeFi

Carbon DeFi Logo

Carbon DeFi is a product of Bancor and isn't affiliated with Carbon - the cross-chain protocol built by Switcheo Labs

Powered by

Carbon DeFi Logo

Carbon DeFi is a product of Bancor and isn't affiliated with Carbon - the cross-chain protocol built by Switcheo Labs

Powered by

Carbon DeFi Logo

Carbon DeFi is a product of Bancor and isn't affiliated with Carbon - the cross-chain protocol built by Switcheo Labs

Powered by