Smart contracts used for decentralized autonomous organizations do not require constant human oversight and thus can be susceptible to illegal transactions facilitated by bad actors (e.g., ransomware, fraud, etc.).[i] For example, the infamous 2016 hacker of The DAO exploited its vulnerable smart contract by repeatedly calling on that contract to drain excessive funds that the contract hadn’t realized had already been withdrawn.[ii] Because smart contracts can execute transactions across borders, bad actors can take advantage of the lack of uniform regulation of the industry on an international level to escape liability.[iii]

Approaches to blockchain regulation, specifically regarding who to hold liable for misuse of smart contracts and how, differ among countries.[iv] The United States lacks a clear system directing liability for abuse of smart contracts, relying instead on existing securities and cybercrime laws.[v] The European Union’s Markets in Crypto-Assets Regulation framework is more proactive in its comprehensive digital assets rules, but also lacks clarity on how to tackle liability in autonomous systems.[vi] The United Kingdom and Singapore utilize regulatory sandboxes, relying on existing frameworks, like anti-money laundering and payment services rules.[vii] In India, even the enforceability of smart contracts remains vague, and thus its legislation lacks specific outlines of liability in these contexts.[viii] The global inconsistency provides fertile ground for criminals to exploit smart contracts to execute cross-border transactions that escape liability because of the lack of uniformity. Addressing this issue requires international collaboration to develop clear standards for when liability attaches for exploitation of smart contract code for criminal activity.

One potential solution, or at least a step in the right direction, is a two-tiered framework holding programmers of smart contracts liable for misuse of their code if certain conditions are met.[ix] The dual-nature protects code as a form of expression and targets its functional qualities, holding programmers liable since there is a lack of human intervention involved once a smart contract is deployed and transactions are largely anonymous, and to incentivize impenetrable codewriting. The first tier respects code’s expressive functions and thus would not impose liability for mere acts of authorship or publication.[x] The second layer, however, captures ill-intentioned blockchain participants, including programmers, that may take advantage of its mechanics to facilitate harm. This layer avoids intruding on freedom of expression by targeting the independent functionality of code once it is deployed and able to self-execute.[xi] Additional factors should be considered when applying this standard of analysis to ensure only programmers who have engaged in wrongdoing are held liable. These factors include whether the programmer intentionally wrote code to facilitate illicit conduct, the degree to which a programmer retains control over key aspects of the smart contract and the blockchain platform generally, and the extent to which a programmer continues to actively participate in the service’s operations, which can be indicative of knowledge of or ability to prevent illicit transactions. These factors provide clear and necessary margins for regulations targeting this functional layer of code.

Imposing liability based on code’s functional element and using these considerations as guideposts respects international values of freedom of expression while clarifying the circumstances under which programmers can expect to be held accountable for misuse of their work product. Because code has both expressive and functional qualities and smart contract transactions can easily cross national borders, domestic laws regulating use of these contracts must be in tandem. The framework discussed above is one way for various regimes to align their regulatory systems and would help to safeguard financial markets on a global scale and protect the legitimacy of smart contract-based systems. The adoption of such a framework by nations seeing significant traffic in blockchain transactions would create a uniform barrier to smart contract abuse and prevent criminals from exploiting international regulatory discrepancies to escape liability.

Charlotte Chandler is a staff member of Fordham International Law Journal Volume XLIX.

[i] See Stuart D. Levi & Alex B. Lipton, An Introduction to Smart Contracts and Their Potential and Inherent Limitations, Harv. L. Sch. F. on Corp. Governance (May 26, 2018), https://corpgov.law.harvard.edu/2018/05/26/an-introduction-to-smart-contracts-and-their-potential-and-inherent-limitations/; Ayesha Khanum & Jyotirmoy Banerjee, When Code Commits A Crime: Legal Challenges Of Criminal Activity Via Smart Contracts, 7 Indian J. L. & Legal Rsch. 2751, 2752 (2024), https://www.ijllr.com/post/when-code-commits-a-crime-legal-challenges-of-criminal-activity-via-smart-contracts.

[ii] See Sec.& Exch. Comm’n, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO 9 (2017), https://www.sec.gov/files/litigation/investreport/34-81207.pdf; How Hackers Are Exploiting, Medium (Nov. 16, 2024), https://medium.com/@RocketMeUpCybersecurity/exploring-blockchain-attacks-in-web3-and-defi-how-hackers-are-exploiting-decentralized-finance-559159d58957.

[iii] See Khanum & Banerjee, supra note 1, at 2753.

[iv] See id.

[v] See id. at 2758 (noting that the United States lacks a unified federal legislation directing liability for exploitation, instead relying on case-by-case intervention).

[vi] See id. at 2753.

[vii] See Hamza Basyouni, Singapore Crypto Regulations: Complete Guide – 2026, signzy (Jan. 26, 2026), https://www.signzy.com/blogs/singapore-cryptocurrency-regulations; David Carlisle, Crypto regulatory affairs: UK adds stablecoin cohort to regulatory sandbox, elliptic (Dec. 9, 2025), https://www.elliptic.co/blog/crypto-regulatory-affairs-uk-adds-stablecoin-cohort-to-regulatory-sandbox.

[viii] See Kashish Mamnani, Jigeesha Vaishnav & Akshara Dubey, Bridging Code And Law: The Legal Landscape Of Smart Contracts, 7 Indian J. L. & Legal Rsch. 4262, 4266 (2025), https://www.ijllr.com/post/bridging-code-and-law-the-legal-landscape-of-smart-contracts; Khanum & Banerjee, supra note 1, at 2755.

[ix] See Matthew R. Galeotti, Acting Att’y Gen., Dept. of Just., Acting Assistant Attorney General Matthew R. Galeotti Delivers Remarks at the American Innovation Project Summit in Jackson, Wyoming (Aug. 21, 2025), https://www.justice.gov/opa/speech/acting-assitant-attorney-general-matthew-r-galeotti-delivers-remarks-american.

[x] This recognition of code as an expressive form warranting protection finds supports in U.S. case law, see e.g., Bernstein v. U.S. Dept. of Justice, 176 F.3d 1132 (9th Cir. 1999) (characterizing source code as expressive speech for First Amendment purposes and protecting it under the prior restraint doctrine) and Junger v. Daley, 209 F.3d 481 (6th Cir. 2000) (finding that computer code contains expressive elements because of how it communicates ideas).

[xi] See Galeotti, supra note 9.

This is a student blog post and in no way represents the views of the Fordham International Law Journal.