(Daniel Crump/Bloomberg via Getty Images)

A Canadian teen math prodigy who allegedly swiped $16 million in an exploit of a decentralized finance (DeFi) protocol in October swore on Twitter to “fight to the death” in a legal “duel” over whether or not he should be permitted to keep the funds.

On Wednesday a warrant was issued for 19-year-old Andean “Andy” Medjedovic to appear before an Ontario court. The warrant comes following Medjedovic’s failure to appear at an in-person hearing on Tuesday, though people familiar with the matter say he appeared at a virtual hearing last Friday.

In October, Medjedovic allegedly used flash loans to drain funds from Indexed Finance, a decentralized finance (DeFi) protocol offering index fund-style structured products. Following an investigation from a “war room” of industry experts, the affected team managed to uncover his identity.

Unlike in other high-profile exploits where the attacker was “doxxed,” however, Medjedovic refused to return the funds and claimed on Twitter he was prepared to defend “code is law” – an unofficial DeFi ethos that holds that any activities technically permitted by smart contracts are not just immutable, but also legally and ethically permissible – in court.

In an interview with CoinDesk this week, Indexed core contributors Laurence Day and Dillon Kellar said the Tuesday hearing was in regards to a court-ordered freeze on the assets in question, also known as a Mareva injunction, and a receivership order, which would transfer the assets to a third-party custodian for the duration of legal proceedings.

According to Day, the Mareva injunction was filed to prevent Medjedovic from moving the pilfered crypto to Tornado Cash or a similar mixing service.

However, following his failure to appear, Medjedovic may now be making history as the first DeFi hacker to be actively pursued by law enforcement.

A number of lawyers who spoke to CoinDesk in October said that Medjedovic’s “code is law” argument was unlikely to hold up under legal scrutiny.

To date, law enforcement has rarely gotten involved in hacks and exploits, in part because identifying culprits is near-impossible when attackers use the right tools to cover their tracks.

The sector is often compared to a financial “Wild West” where, in the absence of legal authorities and enforceable laws, self-regulation and the goodwill of “white hat” hackers are all that can help prevent exploits.

This legal void has led to a prevalent mindset that DeFi is effectively outside the reach of the legal system, and the only rules of the road are those encoded on-chain – “code is law,” often derisively referred to as “codeslaw.”

what a boomer take :(code is law if the market is unregulatedwelcome to cryptono place for mistakesyou snooze you lose

October 21, 2021

Day, however, argues that the hack was simple fraud. According to filings posted by Day and prepared in collaboration with the Canadian law firm Stockwoods, in addition to the Mareva injunction, Indexed developers are filing a class action suit arguing that the exploit was “civil fraud” and are seeking “rescission for misrepresentation or mistake, and/or unjust enrichment.”

Far from being a quirk in the code, Day and Kellar argue, the exploit relied on malicious intent and custom-built contracts that manipulated Indexed’s internal markets, creating the conditions that Medjedovic could exploit.

“The attack was not some simple accounting error waiting to misprice tokens – it had to be deliberately manipulated through a complex series of actions in order to create the circumstances under which assets could be taken at a below-market price,” said Kellar.

A number of legal experts have expressed concern on social media that the looming case could inadvertently lead to an expansion of law enforcement powers, particularly in regards to fraud involving computers.