Frauds with crypto assets increase day by day. Criminals take advantage of vulnerabilities found in exchanges and smart contracts to transfer crypto assets to digital wallets – which, although monitored, have no personal data linked, which makes it difficult to identify the authorship of the illicit and recover the assets.

To this day, for example, it is not clear what happened in one of the most emblematic cases of crypto theft. In 2014, the Japanese exchange Mt. Gox was reportedly the target of an attack hacker that embezzled more than $322 million in cryptocurrencies, mainly bitcoins.

Brazilian case law has applied consumer law rules in similar cases.[1] In the understanding of the Court of Justice of São Paulo (TJSP),  the crypto exchange fits into the vendor definition contained in the Article 3 of the Consumer Code (CDC), as a provider of crypto assets intermediation and custody service. For the TJSP, this type of broker must respond objectively for the damages generated by defects related to the provision of the services, as determined by the Article 14.

When it can be pointed out that the exchange provided a defective service that resulted in injury, therefore, civil liability for damages falls on it. But how to set the responsibility when the damage was caused by failure or attack – the so-called hack - on the blockchain itself?

In March of this year, the Ronin network – a sidechain which functions as a kind of bridge between different blockchains, including the one running the game Axie Infinity – suffered one of the biggest attacks already registered in the crypto universe. The hacker took advantage of a vulnerability and hacked private keys from at least four of the network's nine nodes. With this, it managed to drain about $625 million in cryptocurrencies, including ether and USDC.

Such attacks are rare in the crypto world, but they spark an alert above all for underscoring the integrity of the blockchain. Despite the low frequency with which they occur, problems of this nature raise questions about what a secure blockchain would be and to whom to attribute the effective responsibility for the damage suffered.

In order to understand the question it is necessary to establish whether the crypto assets are:

  • kept in custody of an Exchange; or
  • being negotiated in decentralized finance protocols (DeFi), without being able to identify a custodian organization.

If the assets are in custody of exchanges, the possible loss resulting from an attack on the blockchain can hardly generate any responsibility for the broker. It can be argued, however, that there would be joint and several liability for the losses, since the exchange is inserted in the consumer chain.

Given the case presented, however, there is no way to identify a clear causal link between the service provided by the exchange and the injury. The lack of causal link may also raise the hypothesis of excluding liability for the absence of a defect in the service (art. 14, paragraph 3, I of the CDC) or, by case of fortuitous (art. 393 of the Civil Code).

The situation changes slightly when the crypto assets whose blockchain has been hacked are being traded on DeFi protocols. In this case, the difficulty in assigning liability stems less from legal uncertainty than from the difficulty of identifying the organization responsible for offering the trading and custody structure of crypto assets.

The fact that the registration in blockchain being decentralised does not mean that it is impossible to identify an institution or someone behind the creation of the protocol and its maintenance. In general, this role is played by foundations or even by a group of persons without legal personality.

It is difficult, however, to identify exactly the role of these agents in the creation or maintenance of the protocol. It is also difficult to establish whether the activities performed can characterize the organization or group of people as "suppliers" and thereby attract responsibility for damage to the consumer.

The arrival of new asset and technology modalities raises legal issues that need to be better addressed. Until it is clearly established who is responsible for the damage in cases such as the Ronin network, or even if it is possible to establish some kind of liability in these cases, it can be difficult to find support in the law to obtain compensation for damages caused by hacker attacks.


[1] Civil Appeal TJ/SP 1001913-90.2019.8.26.0080; Civil Appeal TJ/DF 0730396-17.2018.8.07.0001; Civil Innominated Appeal TJ/SP Case 0011980-92.2016.8.26.0127