- A California district court ruled that a DAO may be a general partnership
- A DAO’s token holders may owe a duty of care to each other and, therefore, may be jointly and severally liable for claims of negligence against the DAO
- Venture capital funds investing in unincorporated DAOs may face increased exposure to litigation
- The decision is of limited precedential value because it was decided on a motion to dismiss
On March 27, 2023, the Court in Christian Sarcuni, et al. v. bZx DAO, et al, found that the plaintiffs plausibly alleged a claim of negligence against defendants bZx DAO,
The bZx DAO operated a blockchain-based software called the bZx Protocol, which offered cryptocurrency margin trading and lending products. The bZx Protocol is a protocol for tokenized margin trading and lending. It enables margin trading and lending in various cryptocurrencies instead with a traditional fiat currency and traditional securities.
The bZx Protocol was billed as “non-custodial,” meaning users could maintain control over their own passwords and digital assets. Critically, a developer maintained a private key that provided access to all of the assets held in the bZx Protocol. The developer was subject to a phishing attack by a malicious actor who gained access to the private key and stole $55 million worth of crypto.
A group of 19 Plaintiffs alleged they were injured as a result of the negligence of the founders, two venture capital funds, and bZx DAO (and its successor Ooki DAO) following the successful phishing attack against a developer. Although the bZx DAO approved a compensation plan to reimburse the harmed token holders, the Plaintiffs alleged repayment would take thousands of years.
On a motion to dismiss, the Court must determine whether a plaintiff’s allegations contain sufficient factual matter that, if assumed to be true, provide a plausible claim for relief.
Generally, purely economic losses may not be recovered under a negligence theory. An exception exists if there is a special relationship between the plaintiff and the defendant. In California, courts employ the following six-factor test to determine whether a special relationship exists:
- the extent to which the transaction was intended to affect the plaintiff;
- the foreseeability of harm to the plaintiff;
- the degree of certainty that the plaintiff suffered injury;
- the closeness of the connection between the defendant’s conduct and the injury suffered;
- the moral blame attached to the defendant’s conduct; nad
- the policy of preventing future harm.
The court found that the six factors weighed in favor of finding that the Plaintiffs plausibly alleged the existence of a special relationship: (1) the Plaintiffs were the intended beneficiaries of the transactions on the bZx Protocol; (2) it was foreseeable that a lack of security would cause harm to the Plaintiffs; (3) the Plaintiffs alleged a loss of $1.7 million, showing an injury with a high degree of certainty; (4) the Plaintiffs alleged a close connection between the negligent conduct and the injury because the bZx DAO’s “operators” knew security measures were reasonably necessary to protect the Protocol; (5) the DAOs conduct is morally reprehensible in light of their promises of safety; and (6) a finding that the DAO owed Plaintiffs a duty furthers public policy of preventing future harm stemming from negligent oversight of security measures on DeFi protocols. As a result, the Court found the Defendants had a duty to exercise reasonable care with respect to their management of the bZx Protocol.
With respect to the second factor, the Court found Plaintiff’s factual allegations particularly compelling.
Plaintiffs alleged the creators of the bZx Protocol told users they need not worry about being hacked and that funds were safe. But Plaintiffs alleged the bZx Protocol had been hacked on three prior occasions resulting in an approximate loss of $9 million.
As discovery progresses, the parties will learn more about the prior hacks, the remedial measures taken in response, the security measures implemented from time to time, and the continuity of participation by developers. These will be relevant to assessing the second, fourth, and fifth factors.
In assessing the sixth factor, the practical realities of decentralized technology must be considered. In theory, yes, public policy supports preventing future by negligent developers. But in reality, most if not all, developers have a vested interest in maintaining the security of a protocol because they are also token holders. In such circumstances, the sixth factor should not weigh in favor of finding a special relationship exists between developers that hold tokens of a DeFi protocol and the users of the protocol.
A group of Defendants argued they did not owe duty a duty of care, and the facts are distinguishable from the case, Fabian v. LeMahieu, No. 19-CV-54-YGR, 2019 WL 4918431 (N.D. Cal. Oct. 4, 2019), cited by the Court as support for finding a duty existed. In Fabian, the court found the defendants, the creators of a token and crypto exchange, owed the plaintiffs, a duty of care. The exchange developed by the defendants lost $170 million worth of [coins] from its exchange due to “unauthorized transactions,” leading to the enterprise’s insolvency. Here, the Defendants argued the loss is distinguishable because transactions with the bZx Protocol were non-custodial. The Court found that since the private key phished from the developer granted access to all assets supposedly custodied by Plaintiffs, a truly non-custodial relationship did not exist.
The Defendants also argued even if they owed a duty of care, Plaintiffs failed to allege facts stating the Defendants breached said duty. In dismissing this argument, the Court cited Plaintiffs’ allegations that the same private keys had been used to successfully hack the protocol previously and that bZx Protocol made specific assurances about the security of its tech.
Analysis and Takeaways
First, this case is a reminder that participants of DAOs operating as unincorporated associations, at least under California law, bear major exposure to civil litigation. Several states have implemented DAO laws that provide for limited liability of DAO participants. Additionally, best practices have emerged for establishing legal wrappers using offshore entities. DeFi developers and founders should carefully consider these options to avoid unlimited liability for themselves and other participants. As participants become more aware of their potential exposure to liability that may result from simply holding tokens, a chilling effect on participation may result.
Second, this case highlights the importance of avoiding communication missteps. Federal securities concerns aside, DAOs must also be wary of the promises or representations the may inadvertently communicate. Here, the founders’ statements that the bZx protocol was secure and safe from hacking provided the Plaintiffs with a major assist in overcoming a motion to dismiss.
Third, DeFi developers must acknowledge and plan for the risk associated with holding private keys that provide access to the assets of a protocol. The Court eschewed the Defendants argument that the relationship with users of the bZx protocol was non-custodial since the developer maintained a private key that could access all of the assets. This finding may even be true where developers maintain multi-sig wallets.
Fourth, venture capital funds investing in DAOs organized as unincorporated associations now face significant exposure to claims of negligence for security flaws. This is an untenable position for principals of funds, who have a duty to protect the assets of the fund. It is unlikely that this case chills investment by the industry’s most active funds, but it will create pause for traditional investment companies considering investing in the space.
The precedential value of the Court’s decision is limited because the Court merely determined Plaintiffs alleged sufficient facts to overcome a motion to dismiss. Now, Plaintiffs must establish the veracity of those allegations to succeed on their claims. Despite the limited precedential value of the order, this case is an important reminder for DAO participants, founders, and venture capital firms investing in unincorporated DAOs to ensure they are implementing best practices for limiting their litigation exposure.