Code is Law

A slogan, originally from Lawrence Lessig’s Code and Other Laws of Cyberspace (1999), picked up by the Ethereum and especially Ethereum Classic communities: smart-contract code, once deployed, is the governing law of the interactions it mediates. Whatever the deployed bytecode does is the correct, binding outcome — no off-chain appeal, no reinterpretation by a court, no fork to undo an unintended result.

The principle was load-bearing in the ETH/ETC split over TheDAO: ETC took “code is law” literally and refused to fork to reverse the exploit; ETH treated the DAO attacker’s outcome as a violation of intent and forked regardless.

House on Rock - LangSec in Ethereum Classic argues that “code is law” only makes moral sense if the meaning of the code is knowable — i.e., if there is an unambiguous executable semantics (KEVM), if languages don’t hide implicit behaviour (Fallback Method, Delegatecall), and if users have the tools (LangSec, verification) to learn what a contract can actually do before they transact with it. Without those, “code is law” means “the winner is whoever reads the bytecode better” — which is a law, but not a legitimate one.

Tags

#ethereum #governance #smart-contracts

Backlinks

Ethereum Classic line 5
House on Rock - LangSec in Ethereum Classic line 44

Linked Pages

LangSec

Language-theoretic Security

Research programme treating input-handling bugs as recognition-theoretic failures: minimise input-language power and build validating recognisers.

In this vault

Delegatecall

An EVM opcode that invokes code at another address in the caller’s storage context. The called bytecode can read and write the caller’s storage, spend the caller’s Ether, and see the caller’s msg.sender. In effect, delegatecall is a naked eval: whoever controls the target address controls the caller’s state.

The opcode exists to enable library patterns and upgradable proxy contracts, but its semantic reach makes it the sharpest available knife in Solidity. The July 2017 Parity multisig wallet freeze (Parity Multisig) was triggered by an untrusted actor invoking a library’s initializer via delegatecall, taking ownership of the library, and then self-destructing it — rendering every wallet that delegated to it unusable and freezing ~$280M of Ether.

House on Rock - LangSec in Ethereum Classic lists delegatecall with the Fallback Method as examples of implicit behaviour incompatible with LangSec: the call site doesn’t locally express what the code can do.

Tags

#solidity #evm #smart-contracts #langsec

Fallback Method

In Solidity, the unnamed function a contract invokes when it receives a call whose signature doesn’t match any declared method (or when it receives plain Ether). Prior to Solidity 0.6 it was function() { ... }; since 0.6 it is split into fallback() and receive().

Fallback methods are a canonical Solidity foot-gun: they execute code on every unknown call, including calls from untrusted counterparties, and they run in a context where the caller’s identity, the amount of Ether received, and the remaining gas are easy to misreason about. The DAO reentrancy exploit (TheDAO) and several Parity-wallet incidents (Parity Multisig) turned on fallback-method behaviour.

House on Rock - LangSec in Ethereum Classic cites the fallback method as a language design that hides implicit behaviour — the opposite of what a LangSec approach prescribes.

Tags

#solidity #smart-contracts #langsec

KEVM

An executable formal semantics of the Ethereum Virtual Machine, written in the K Framework (Runtime Verification, Inc., 2017–). Unlike the Ethereum yellow paper (prose + informal pseudo-mathematics), KEVM is a machine-checkable specification: you can run a contract against KEVM and get the same result the semantics prescribes, byte-for-byte.

Its value is twofold. (1) Reference semantics — disputes about “what does this opcode do?” can be resolved by running KEVM, not by re-reading English prose. (2) Verification target — contracts can be proved correct against KEVM using the K framework’s symbolic execution and theorem-proving tools, rather than against an ad-hoc test suite.

House on Rock - LangSec in Ethereum Classic holds up KEVM as the remediation Ethereum Classic should adopt: replace the yellow paper with an executable semantics and give verification tools a standard target.

Tags

#ethereum #formal-semantics #verification #evm

House on Rock - LangSec in Ethereum Classic

Reference: Meredith L. Patterson (2017). How to Build a House That Doesn’t Fall Apart (talk). Ethereum Classic Summit, Hong Kong, November 2017. YouTube

Summary

A LangSec critique of Ethereum aimed at the Ethereum Classic community, framed around the parable of the wise and foolish builders and Philip K. Dick’s “reality is that which, when you stop believing in it, doesn’t go away.” Patterson argues Ethereum was built on sand — an ad-hoc, non-executable yellow-paper semantics; a hand-rolled Solidity parser; a test suite with no coverage for delegatecall or invalid opcodes; a design culture that scorned formal methods until hundred-million-dollar losses forced the issue.

The central technical argument is that the gas mechanism does not do what the yellow paper claims it does. Gavin Wood’s stated purpose — “sidestep the inevitable issues stemming from Turing completeness” — confuses a resource bound (a non-semantic, decidable property) with a safety guarantee (a semantic property that Rice’s theorem makes undecidable in general). Gas cannot show a contract “does nothing malicious”; it can only show it eventually halts. Worse, gas creates an adversarial economic game with direct monetary reward for tricking the accounting, and a perverse incentive for honest developers to omit runtime sanity checks because conditionals cost gas.

Patterson’s prescription for Ethereum Classic: standardise on KEVM (an executable operational semantics in the K framework), fix the VM test suite’s gaps, build languages that don’t hide implicit behaviour (method visibility defaults, fallback methods, delegatecall as naked eval), and invest in developer tools — IDEs, live debuggers, verification — that surface what a contract can actually do. “Code is law” requires the meaning of the code to be unambiguous, executable, and visible.

Key Ideas

Rice’s theorem bounds what gas can mean. Non-trivial semantic properties of arbitrary programs are undecidable; resource bounds are non-semantic. Gas therefore cannot sidestep Turing-completeness-induced safety problems, contrary to the yellow paper.
Gas as adversarial game. The accounting is an attack surface, not a safety property; attackers are paid to win. Honest contract authors are weakly pushed toward removing checks to keep gas costs competitive.
LangSec programmer–machine contract. Inputs must have a formal grammar; two implementations of the same spec must accept/reject identical inputs; semantics must be executable so claims about behaviour can be verified mechanically.
Ad-hoc semantics breeds consensus failures. When the yellow paper and cpp-ethereum disagree, cpp-ethereum wins — the denotational semantics is decorative. Discrepancies between clients have already caused real Ethereum consensus failures.
Test suites are part of software design. Official VM tests have no coverage for invalid opcodes or delegatecall — the exact instruction at the heart of the Parity multisig hacks. “VM tests” is false advertising; downstream VM implementations inherit the blind spot.
Case studies of processing-fluency failure.
- DAO: mutual recursion across a defender/attacker code boundary, missed in reviews because reviewers examine functions one at a time (cf. Leveson: accidents emerge from interactions).
- Hacker Gold: =+ typed instead of += — a hand-rolled recursive-descent parser caught nothing; a Bison grammar would have surfaced a shift/reduce conflict.
- Parity multisig (July 2017): fallback method × delegatecall × public-by-default visibility = naked eval on attacker-controlled payload; $31M drained, $150M saved only by counter-theft.
- Parity multisig (Nov 2017): library contract re-initialised by an outsider then suicided, locking $153M in wallets whose code had vanished — “left-pad for multi-million-dollar table stakes.”
KEVM (K framework operational semantics) gives Ethereum an executable semantics; generated interpreter ~20× slower than cpp-ethereum but usable, and supports reachability-based proof of safety/liveness claims.
Cognitive-science constraint. Miller’s 7±2 bounds how much implicit state a programming language can demand before human reasoning fails. Solidity’s implicit defaults (public methods, fallback dispatch, implicit conversions) exceed that budget.
“Worse is better” is unconscionable in a financial system. Sacrificing correctness and completeness to ship first transfers the cost of undefined behaviour onto users.

Connections

Making Smart Contracts Smarter — same semantic gap diagnosis; OYENTE is the symbolic-execution complement to Patterson’s formal-semantics prescription.
Formalise Blockchain Interoperability Patterns — companion move: formalise what was informal.
Security Applications Of Formal Language Theory — the Sassaman/Bratus/Patterson LangSec manifesto this talk operationalises for smart contracts.
The Halting Problems of Network Stack Insecurity — parallel argument that parser/semantics weakness is the root cause of whole vulnerability classes.
Exploit Programming - From Buffer Overflows To Weird Machines — “weird machines” framing applies directly to contracts driven off-spec via delegatecall.
PKI Layer Cake - Kaminsky Patterson Sassaman — Patterson’s earlier demonstration that grammatical discrepancies between implementations are exploitable (SSL CA forgery); same mechanism, different domain.
A Language-Based Approach To Prevent DDoS — language-theoretic remediation as a general pattern.
Operational Semantics, Denotational Semantics, EVM, Solidity, TheDAO, Reentrancy — background concepts.
An Unsolvable Problem of Elementary Number Theory — Church 1936; LangSec’s undecidability heritage behind the Rice’s-theorem argument against gas-as-safety.
Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme I — Gödel 1931; the incompleteness ancestor of the semantic-limit arguments.

Conceptual Contribution

TheDAO

A 2016 Ethereum-based decentralised autonomous organisation that held ~$150M in ether and was drained via a reentrancy bug in its split function, precipitating the controversial Ethereum hard fork. The canonical cautionary example for smart-contract verification.

In this vault

Ethereum Classic

The chain that continued the original Ethereum ledger after the July 2016 hard-fork that reversed TheDAO attack. Ethereum Classic (ETC) rejected the “bailout” fork on the principle that “code is law” — the DAO attacker’s exploit was valid under the deployed semantics, and rewriting history to undo it violated the property the system was meant to deliver. Ethereum (ETH) took the forked ledger; ETC retained the original.

The community around ETC has since positioned itself as a venue for more conservative contract-language design and stronger formal-methods discipline. House on Rock - LangSec in Ethereum Classic is Patterson’s 2017 ETC Summit talk addressed to this community, urging adoption of KEVM, a LangSec programming-language discipline, and verification tooling — the sort of infrastructure ETC’s “code is law” principle (Code is Law) commits it to taking seriously.

Tags

#ethereum #blockchain #smart-contracts