Hack Suit Progress Seen Spurring Crypto Platforms to Become LLCs

A court ruling that puts potentially thousands of members of the bZx DAO crypto group at risk of being personally responsible for a $55 million hack is likely to prod other platforms to weigh registering with states to protect members from such legal exposure, attorneys say.

Crypto users who lost money in the hack of bZx’s lending platform have been allowed to proceed with a California federal court lawsuit alleging the decentralized autonomous organization failed to take adequate safety measures. The users argue the DAO is a general partnership, and people who held a token used to make decisions for it can be personally liable for its debts.

The case is the first of its kind, legal observers said. While various states allow DAOs to register as a legal entity with limited liability, some projects have been reluctant to take that step. The decision is an ominous sign for members of those DAOs, the observers said, and a warning that they may be on the hook for the organization’s debts if platforms aren’t registered as limited liability companies.

“I think what you’re going to see now is more DAOs trying to register, whether in one of the states that allow it or offshore,” Eversheds Sutherland US LLP attorney Sarah Paul said.

Jason Gottlieb of Morrison Cohen LLP, an attorney for the bZx defendants, in a statement noted three defendants have been dismissed from the lawsuit, including two entities that the judge said didn’t appear to hold bZx governance tokens. Gottlieb said they “look forward to addressing the merits of plaintiff’s allegations in due course, after which we’re confident that all of the remaining defendants will be dismissed as well.”

The bZx DAO’s successor, the Ooki DAO, has also been sued by the Commodity Future Trading Commission. The CFTC is pursuing a legal theory of its own that could hold each DAO member who voted on a governance proposal liable for federal regulatory violations.

Partners Responsibility

DAOs are community-run crypto projects governed by people that hold special tokens, called governance tokens. There are over 12,000 DAOs, with total assets over $24 billion, according to analytics site DeepDAO.

The bZx DAO operated a blockchain-based software offering crypto margin trading and lending products.

Using a phishing attack, a hacker was able to drain $55 million worth of crypto tokens from the platform in November 2021, according to court documents. Several individuals who lost crypto sued, alleging bZx was negligent because it didn’t have better security systems.

“The question is, who’s responsible for that?” Baker Botts LLP attorney Samuel Dibble said. “This partnership approach answers the question. It probably answers it in the worst possible way for the general user base.”

A general partnership can exist when two or more people carry on as co-owners of a business for profit. Each partner’s personal assets can be at risk in a general partnership, and each is responsible for the actions of other partners.

The partners in the bZx DAO can be people who held the DAO’s BZRX governance tokens, the court said.

The defendants argue that to find them to be partners with thousands of people from around the world is “far-fetched.” That legal theory, they said, was a “pet project of a plaintiffs’ law firm looking to manufacture cases” and, if accepted, would be a radical expansion of partnership law.

“I doubt anybody who joined this DAO just as a member thought that they could be liable for a hack of this nature,” Paul said.

There are other crypto suits based on a similar legal theory, including one involving PoolTogether, which is accused of running an illegal lottery. The plaintiff in that case, which is in New York federal court, is represented by Gerstein Harrow LLP, the same firm as the bZx plaintiffs.

‘Legal Wrappers’

Wyoming in 2021 became the first state to pass a law that allows DAOs to register as a kind of limited liability company. A handful of other states, including Tennessee and Vermont, have passed similar laws. Others, including New Hampshire, are also considering DAO-specific legislation.

Registration can shield the DAO’s members from being personally liable for the organization’s debts. Some DAOs have taken advantage of the new state laws, attorneys said. In Wyoming, there are dozens of businesses registered with the state that have “DAO LLC” in the name.

But many groups remain wary, reluctant to accept the rules that come with registration. A DAO registered in Wyoming, for example, can’t be managed entirely by a smart contract. There can also be reporting requirements and rules that a registered agent be in the state where the DAO is registered.

“Often the objection that we hear is philosophically they are concerned about the lack of anonymity that may come with a legal wrapper, and concerned about now being boxed into a legal rubric and centralized structure where the whole point of a DAO is to be decentralized and more informal,” said Stuart Levi of Skadden Arps Slate Meagher & Flom LLP.

Treating unregistered DAOs as general partnerships could change the calculus.

“It will require DAOs to at least take a closer look at those ‘wrappers’ and see whether the protection provided by those legal structures outweighs the pure decentralized aspect of having a DAO,” Levi said.

Commodities Case

The CFTC sued the Ooki DAO in September 2022 for alleged violations of federal regulations around commodities trading.

In court filings, the agency said that bZx’s co-founders thought that creating a DAO would “insulate the bZx Protocol from regulatory oversight and accountability for compliance with US law.” The judge overseeing the proposed class action against bZx in the US District Court for the Southern District of California noted that comment in refusing to dismiss the suit.

The judge cited a decades-old California court ruling which warned that “courts do not countenance partnerships which attempt to afford all the advantages of commercial intercourse without corresponding liabilities, and an agreement which contemplates such evasion will be construed and enforced as a general partnership.”

The CFTC’s suit is ongoing in the US District Court for the Northern District of California, despite crypto groups’ argument that a DAO is a technology, not an entity that can be a defendant in a suit. The CFTC’s action, combined with the bZx ruling, underscores that DAOs may not be insulated from regulator’s oversight or private lawsuits.

“Perhaps this is the judicial system’s way of trying to find some accountability,” Ingram Yuzek Gainen Carroll & Bertolotti LLP attorney Mioko Tajika said. “You can’t try to eliminate legal liability by calling yourself a DAO. The law is going to try to find a framework to hold you accountable if there is a cause of action.”

The need for accountability extends beyond large-scale events, like a hack, to more routine matters, like signing a contract, Jason Harrow of Gerstein Harrow said.

“What is remarkable about the filings in this case and the other cases is there seems to be no affirmative account of how responsibility works in the DAO world,” Harrow said. “That’s a colossal mistake because federal courts will not allow that.”

The case is Sarcuni v. bZx DAO, S.D. Cal., No. 22-cv-618.