A fundamental misconception pervades American law’s engagement with blockchain technology. State legislatures, federal regulators, courts, and private market participants routinely treat the technical capabilities of blockchain systems as sources of legal rights and obligations, collapsing the distinction between what code can do and what law commands. This is not a merely theoretical problem. It produces flawed statutes, distorted regulatory guidance, contradictory judicial opinions, and private arrangements built on illusory foundations. The stakes are practical and immediate: When technical capabilities are mistaken for legal entitlements, the resulting structures fail, exposing developers, investors, and market participants to liabilities they believed they had avoided.
This conflation of what code enables with what law commands has a traceable intellectual genealogy. When Lawrence Lessig proclaimed “code is law,” his insight was descriptive. Code, he argued, is one of four constraints on behavior in cyberspace, alongside positive law, markets, and social norms. Code defines the boundaries of possible action: It is a potent form of “soft law,” but not a source of enforceable rights.
Blockchain technology collapsed this distinction. Cypherpunk ideology, which envisioned cryptography as a bulwark against state overreach, converged with blockchain technology to produce a bolder claim: that code is actual law, generating enforceable rights and obligations through execution alone. Scholars theorized lex cryptographia, a regime of self-executing smart contracts independent of any legal system. Others contended that blockchain operates “alegally,” beyond existing legal frameworks altogether. In commercial practice, a prominent NFT issuer declared that ownership of these tokens is “mediated entirely by the Smart Contract and the Ethereum Network,” as though property rights were a function of code rather than law. The fallacy has now traveled so far that litigants invoke “code is law” as a defense, arguing that conduct a protocol permits is, by definition, lawful.
To diagnose this conflation, we draw on H.L.A. Hart’s legal positivism. Hart theorized law as a union of primary rules (imposing duties and conferring rights) and secondary rules (specifying how primary rules are identified, changed, and adjudicated). Applied to the “code is law” thesis, this framework exposes a foundational error: Proponents treat code’s operational effectiveness as a sufficient basis for legal validity, but binding legal rules must trace their authority to recognized sources of law. Code bears no such pedigree; it simply defines the range of possible conduct and records factual states through deterministic execution. This is the ontological gap: Code defines what is technically possible but makes no claim about what ought to occur. In practical terms: Code controls the actions of users and produces verifiable records of those technical events; only law can convert those events into rights, duties, and remedies enforceable against others.
The consequences of this conflation are neither hypothetical nor confined to a single domain. Our article documents how these errors produce legal pathologies across legislation, regulation, adjudication, and private ordering.
State legislatures have been particularly susceptible. Wyoming enacted a statute permitting decentralized autonomous organizations (DAOs) to be “algorithmically managed,” vesting formal management powers in a smart contract. Yet smart contracts are fundamentally reactive software: They execute predetermined operations upon receiving specified data inputs. They do not exercise the discretion and fiduciary judgment that “management” of a limited liability company demands under organizational law. The statute confuses using code to execute decisions taken by people with the activity of management itself.
Federal regulators have committed a parallel error. For nearly a decade, the SEC treated the technical characteristics of digital assets as proxies for securities status, directing enforcement attention toward token design features rather than toward the contractual arrangements that the Howey test actually examines. In SEC v. Ripple Labs, a court held that the same token could carry different legal significance depending entirely on the surrounding arrangements. The SEC ultimately conceded in September 2024 that “crypto asset securities” had been merely “shorthand,” expressing “regret” for any confusion. That a sophisticated federal regulator, applying a test established nearly 80 years ago, could sustain this error for the better part of a decade illustrates how effectively code’s architectural power can masquerade as normative authority.
Courts, too, have struggled. In Van Loon v. Department of the Treasury, the U.S. district court accurately described the Tornado Cash smart contracts as software, then contradicted its own characterization by relying on precedent treating smart contracts as “a code-enabled species of unilateral contracts.” Similarly, in the criminal prosecution of the Peraire-Bueno brothers, the defendants argued that conduct permitted by the Ethereum protocol was lawful by definition, producing a jury so confounded by the clash between technical permissibility and legal obligation that the case ended in a mistrial.
Private actors fare no better. Participants in venture DAOs routinely assume that code-based control over digital assets replicates the limited liability that entity formation statutes confer. In Sarcuni v. bZx DAO, the participants had structured their venture through smart contracts alone, believing the technology would shield them from personal liability. It did not. The court held that absent a formal legal entity, the participants had created a general partnership by default, exposing each to joint and several liability for a $55 million hack. Code controlled the assets; only law could have protected the people.
This gap can be bridged, but only from one direction. Code can acquire legal force, but only through deliberate acts of legal investiture. The pathways are narrow, and in every instance, authority flows from law to code, never the reverse. Our framework identifies two principal pathways: public empowerment through legislation, and private empowerment through contracts, trusts, and other recognized ordering instruments. Absent such investiture, code remains soft law.
The first pathway is public empowerment: Legislatures enact statutes that identify specific code-based states and attach legal consequences to them. The 2022 amendments to the Uniform Commercial Code exemplify this approach. The newly enacted Article 12 introduces the category of “controllable electronic record” and defines “control” as a verifiable technical state: the power to enjoy substantially all the benefit from the record, to exclude others, and to transfer those powers. The statute then invests that technical fact with profound legal significance, including a “take-free” rule that grants qualifying purchasers clean title. The code remains architectural; the statute is the exclusive source of legal rights and obligations.
The second pathway is private empowerment: Individuals incorporate code into contracts, trusts, and organizational governance instruments, exercising the “limited legislative power” that law delegates to private parties. Parties can agree that smart-contract execution constitutes proper performance of contractual obligations, or they can embed code-based voting and treasury management mechanisms within formally organized entities. In practice, blockchain-based ventures have already used instruments such as irrevocable trusts and limited liability companies to formalize their code-based governance arrangements. In each case, legal force derives from the recognized instrument, not from the code it employs. This delegation is bounded: Code cannot override mandatory rules, abdicate fiduciary duties, or supply the contextual judgment that legal standards like “good faith” demand. Nor can code-based systems create what we describe as “code deference,” the attempt to confine disputes to system-native resolution processes and insulate participants from external legal accountability. The legal system remains accessible to any party, and neither code nor contract can foreclose judicial remedies that may override outcomes reached through technical mechanisms. Private ordering through code is an evolution in how parties exercise their legal autonomy, not a revolution against law itself.
The tensions between technological constraint and legal authority that blockchain has brought into sharp focus will not end there. Each wave of innovation, from large language models to autonomous systems, will tempt lawmakers, courts, and market participants to repeat the same conflation. The framework developed in our article provides the analytical tools to resist that temptation. Code governs the possible; only law determines the permissible.
Carla L. Reyes is an associate professor at SMU Dedman School of Law, Andrea Tosato is a professor at SMU Dedman School of Law, and Andrew Hinkes is a partner at the law firm of Winston & Strawn and an adjunct professor at New York University School of Law. This post is based on their recent article, “Code is NOT Law,” available here.