Are decentralized autonomous organizations (DAOs) de facto general partnerships such that their “members” are subject to personal liability? Sarcuni, et al., v. bZx DAO et al., a negligence class action complaint out of the U.S. Southern District of California that was filed May 2, 2022, attempts to test this novel governance issue surrounding cryptocurrencies.[1]
What are DAOs?
DAOs have been popularized with the emergence of decentralized finance (DeFi) protocols, which focus on the use of smart contracts and blockchain technology as opposed to centralized intermediaries, like traditional banking institutions, to perform various financial transactions. DeFi protocols are often governed as DAOs, which operate distinctly from traditional business entities by granting governance rights to holders of crypto tokens[2] to suggest, vote on, and approve actions for a DAO to take.
According to the complaint, “bZx is a DeFi platform describing itself as ‘a protocol for tokenized margin trading and lending’[that] repeatedly and prominently touts its security features,” even going as far as to state that its users should “never worry about opaque centralized exchanges getting hacked or stealing your funds.”[3]
Phishing attack leads to $55 million theft
On November 5, 2021, a bZx DAO developer was sent a phishing email[4] to his personal computer, which granted the hacker access to the content of the bZx DAO developer’s crypto wallet. In the wallet, the hacker procured the private keys (or passcodes/passphrases) to two prominent third-party protocols linked to the bZx platform.[5] After gaining access to these private keys, the hacker was able to access and drain every digital wallet that contained cryptocurrency within certain smart contract protocols, totaling $55 million in U.S. dollar value. According to the complaint, the bZx DAO developer’s possession of the private keys was within the developer’s scope of employment since the private keys were the only means to access and make changes to the protocols.[6] The complaint names 14 plaintiffs who allege the loss of funds ranging from $800 to $450,000, with a total of $1.6 million of the $55 million stolen in the theft.[7]
In late November, the bZx DAO[8] voted on and approved a compensation plan for those affected by the theft, which included a grant of unassigned digital currency, BZRX, from the bZx DAO treasury that would vest over time. The compensation plan also included an issuance of debt tokens that would be bought back using 30% of the revenue generated through certain transaction fees that the protocol charges users. As alleged in the complaint, at the current buyback rate, full repayment of the $55 million would take thousands of years.[9] In December of 2021, users of the bZx platform were encouraged to transfer to a new platform, Ooki DAO, which the class action alleges is a successor to bZx DAO, as “[m]any of the BZRX tokens were transformed into Ooki tokens.”[10]
Who is liable?
The class action complaint asserts that its defendants are jointly and severally liable due to negligence based on a theory of respondeat superior since they failed to take reasonable steps to secure the platform by supervising the bZx DAO developer and ultimately prevent the theft that actually occurred.[11] Unlike traditional corporations or limited liability companies (LLCs) that require legal formalities and protect their owners, members, or shareholders from personal liability, the complaint asserts that DAOs are most analogous to “another phrase in American law . . . [the] general partnership,” where two or more individuals carry on as co-owners of a business and agree to share profits or losses.[12] Counsel for the plaintiffs has stated that “those who form DAOs apparently believe that they can use the word ‘decentralized’ to evade corporate and individual responsibility [whereas] [t]he opposite is true: [w]ithout the protection of a corporation or limited liability company, everyone involved in a DAO’s governance is liable for the protocol’s negligence and illegality.”[13]
DAOs as LLCs
Although California does not have a legal framework recognizing the corporate structure of a DAO, Wyoming and Tennessee are two states that have adopted legislation recognizing DAO LLCs. In July 2021, Wyoming became the first state in the country to explicitly codify rules surrounding the classification of DAO LLCs, which confers a wide range of rights, such as limited liability for members.[14] Wyoming permits two types of DAOs: member-managed and algorithmically managed. A member-managed DAO is similar to a member-managed LLC where enumerated persons or entities are responsible for the upkeep and management of the organization. An algorithmically managed DAO, on the other hand, contemplates an algorithmic decision-making protocol that resides on a blockchain that manages such a DAO.[15] Without such protections, a DAO could be considered a general partnership, exposing its members to personal liability for any of the DAO’s actions and obligations.[16], Following Wyoming’s lead, in April of 2022, Tennessee became the second state to pass legislation to recognize and allow LLC registration of DAOs.[17] Other states have also implemented blockchain-related LLCs.[18]
Implications
Due to the variety of repercussions that this punitive class complaint raises, it is vital for those looking to operate as a DAO to carefully consider what type of legal structure (if any) is most appropriate for the organization. If a legal structure is selected, maintaining proper corporate documents and implementing operating agreements are key. Regardless of whether an entity is selected, structuring governance of the DAO (and liabilities associated with the DAO) is critical.
It is also important to monitor legislation concerning the legal status of DAOs as these entity structures are gaining popularity. Like Wyoming and Tennessee, other jurisdictions may also follow suit in establishing legislation that addresses the legal standing of DAOs and stakeholder liability concerns before courts need to decisively weigh in.
This case will help elucidate what liabilities are ascribed to the developer(s), the DAO as an organization, and individual participants in the DAO (often the same group as the tokenholders). It will also be interesting to see how the court enforces everything from civil procedure rules about personal jurisdiction to the final legal determinations of liability.
If you have any questions about how to structure a DAO or how to address legal liabilities, please reach out to Courtney Rogers Perrin, Raghav Agnihotri, or any member of Frost Brown Todd’s Blockchain Team.
[1] Sarcuni, et al., v. bZx DAO et al., No. 22-cv-618, Complaint (S.D. Cal. May 2, 2022) (“Complaint”)
[2] A crypto token is a type of cryptocurrency that represents an asset or specific use, resides on its own blockchain, and can be used for investment purposes, value storage, or transactions.
[3] Complaint at 9, 10.
[4] A phishing email is a form of a social engineering where a hacker sends a fraudulent email in order to deceive the recipient into installing a virus or revealing sensitive information.
[5] According to the complaint, bZx products work on three blockchains. At the time of the hack, only bZx products on one blockchain were fully decentralized and did not require any fiduciary with password access that handles operations on behalf of the DAO.
[6] Complaint at 11.
[7] Id. at 3, 4.
[8] In many cases—and in the case of bZx—the DAO is comprised of tokenholders who are then tasked with managing the community. See https://bzx.network/blog/bzx-dao (last accessed May 18, 2022).
[9] Complaint at 14.
[10] Id. at 16.
[11] Defendants include the bZx and Ooki DAOs, bZx co-founders Kyle Kistner and Tom Bean, as well as bZx investor’s Hashed International LLC and AGE Crypto GP LLC.
[12] Complaint at 3.
[13] Crypto investors sue over $55m theft in phishing scam, Law360, https://www.law360.com/articles/1489573/crypto-investors-sue-over-55m-theft-in-phishing-scam (last visited May 17, 2022).
[14] Wyoming Decentralized Autonomous Organization Supplement, codified at W.S. 17-31-101 through 17-31-115. See also Wyoming Paves Way for DAO Legal Company Status, Law360, https://frostbrowntodd.com/wyoming-paves-way-for-dao-legal-company-status/.
[15] Id.
[16] Id. Per the Wyoming statute “[t]he rights of members in a decentralized autonomous organization may differ materially from the rights of members in other limited liability companies. The Wyoming Decentralized Autonomous Organization Supplement, underlying smart contracts, articles of organization and, operating agreement, if applicable, of a decentralized autonomous organization may define, reduce or eliminate fiduciary duties and may restrict transfer of ownership interests, withdrawal or resignation from the decentralized autonomous organization, return of capital contributions and dissolution of the decentralized autonomous organization.” In February 2022, Wyoming amended its DAO Supplement law to require a DAO to outline, in its articles of organization, how its members will manage the DAO.
[17] Tenn. Senate Bill No. 2854; Tenn. House Bill No. 2645 (effective date Apr. 20, 2022).
[18] See e.g. 11 V.S.A. § 4173.