A complaint filed in federal court will test the boundaries of protection from liability for individuals behind decentralized autonomous organizations.
On May 2, 2022, a putative class action was filed in the US District Court for the Southern District of California against the bZx protocol decentralized autonomous organization (DAO), the DAO’s two individual co-founders, two limited liability corporations (LLCs) that invested in the DAO and participated in its governance, and several other associated entities. DAOs are (in theory) organizations without a centralized leadership structure like traditional corporations or other limited liability entities. Their governance is generally driven by the coded terms of smart contracts maintained on a blockchain ledger, rather than top-down by a management team. And rather than having a hierarchy of control, DAO stakeholders with tokenized voting rights are typically considered “equals” in which one token equals one vote.
In the case at issue, the plaintiffs make an unprecedented argument to hold the DAO’s co-founders and governance participants jointly and severally liable for damages for the actions of the DAO on the theory that the members of the DAO had formed a de facto general partnership and thus the token-holders are each general partners without any limitation of liability. This new development is notable for its potential wide-reaching implications for the DAO structure.
Sarcuni et al. v. bZx DAO et al.
According to the complaint (and allegedly drawn from the DAO’s own statements), one of the DAO’s developers fell for a phishing scam whereby a private key was divulged to an unauthorized third party. This private key still retained governance rights over the DAO’s DeFi margin lending and trading protocol for two out of the three blockchains on which the protocol operated. The hacker was then able to use the private key to update the protocols in such a way that approximately US$55 million was siphoned out of the protocol. The complaint alleges that the DAO had originally maintained that its platform was “non-custodial,” whereby users controlled their own keys and wallets. But with the loss of the private key, the hacker was able to access all funds on two of the three blockchains on which the platform operated because the private key retained governance authority. As alleged in the complaint, the DAO therefore functioned as custodian of the funds, and thus “had a legal duty as custodian to exercise reasonable care to protect the funds.” Notably, the founders had turned over governance rights to the protocol to token-holders on the third blockchain, Ethereum, and the hacker was therefore unable to use the private key to drain the funds from the Ethereum-based protocol.
The plaintiffs also claim that the DAO “acknowledge[d] its responsibility for the loss,” but has since only offered a “woefully inadequate” resolution plan.
Liability and Jurisdictional Implications for DAOs
DAOs as General Partnerships
Various legal structures in the United States (absent the ability to pierce the corporate veil) operate to protect equity holders from personal liability for the debts and actions of the corporation. These entities are creatures of state law and the most commonly used entity-types are corporations, LLCs, limited partnerships (LPs), and limited liability partnerships (LLPs), all of which generally provide limited liability to their shareholders, members, or partners. General partnerships, conversely, do not offer limited liability protection and therefore do not typically protect their owners from legal action and debts the partnership may face. Owners in a general partnership (i.e., general partners) are considered jointly and severally liable for the activities of the partnership.
A general partnership requires no registration and is de facto formed when “two or more persons engage in a business for the purpose of joint profit.” Sarcuni et al. v. bZx DAO et al. asserts that the members of the DAO satisfy this definition and therefore inadvertently formed a general partnership, so “each of the partners is jointly and severally liable to the plaintiffs and must make good on the full amount of its debts.” Commenters have expressed concern that some DAOs could be deemed general partnerships and thus governance token-holders could be deemed general partners, and attempts have been made to prevent such an application. But Sarcuni is the first case in the United States (and potentially the world) to assert such a claim.
More specifically, the complaint contends that because a DAO, standing alone, does not require state registration as any specific limited liability entity (like a corporation or an LLC), the determination of liability for a general partnership is appropriate under operative law because those that hold the DAO protocol’s governance tokens “have a potential claim on its profits, and they share responsibility for its liabilities,” the same way partners would in a general partnership.
Problems Arising from Ambiguity in the Definition of DAO
In addition to the assertion that a DAO should be treated as a general partnership and its members as general partners, Sarcuni contains two additional quirks that make it a particularly interesting test case.
First, the complaint itself is ambiguous as to whether it is asserting that all BZRX (the DAO’s native token) token-holders are general partners or only some are. It seems to imply that all token-holders are general partners. For instance, the complaint states, “given their structures and the way they operate, the bZx and Ooki DAOs are general partnerships among tokenholders.” Treating all of the token-holders as general partners, however, would lead to a strange outcome in this instance. As the plaintiffs in the case were users of the bZx protocol, they were likely receiving BZRX tokens as liquidity providers and would themselves be members of the DAO; therefore, they would effectively be jointly and severally liable as general partners. In effect, they are suing themselves. The complaint does note that “none of the Plaintiffs or proposed class held meaningful stakes of BZRX token” (emphasis added), suggesting that the plaintiffs may be trying to distinguish that some token-holders should not be considered general partners given their limited ownership or activity. Relatedly, it would be a slightly perverse outcome if in this instance, “meaningful” token-holders were not able to join the suit purely by virtue of being token-holders and thus become defendants in the same suit, particularly as those who had funds stolen from them in the hack were almost certainly token-holders.
Second, the complaint is asserting negligence on the part of the bZx DAO — which it appears to define as those who hold the BZRX token (surreptitiously, the complaint lacks an unambiguous definition of “bZx DAO”) — and the other defendants, for failing to adequately secure the funds. Yet, the hack occurred precisely because the governance keys were not handed to the token-holders but were retained by the founding team. Short of collectively insisting that governance control be passed to the DAO (the BZRX token-holders), it is unclear what the DAO members could have done to prevent the hack. This point is accentuated by the fact that the governance keys were handed over to the DAO on the protocol’s deployment on Ethereum, and the hacker was unable to steal the funds from that blockchain. This definitional ambiguity appears to make Sarcuni a particularly challenging test-case for asserting that the DAO and its members as general partners should be assigned some liability.
Jurisdictional Considerations for DAOs
Beyond liability issues, plaintiffs’ complaint raises significant jurisdictional implications. Notably, it asserts that the court “has specific personal jurisdiction over all Defendants because they purposefully entered into a general partnership controlled from California” (emphasis added). Plainly speaking, plaintiffs’ argument broadly implies that should DAO members be deemed general partners, merely joining a DAO could expose members to suit wherever the DAO operates. Conversely, if credited, the plaintiffs’ arguments would expose the DAO to suit in any jurisdiction where its members are domiciled because “unincorporated entities [like general partnerships] take on the citizenship of each of their members.”
The complaint demands a jury trial to decide “whether the Defendants were negligent, whether they formed a general partnership, and whether the general partnership is responsible as respondeat superior for the negligence of the developer whose pass-phrase was stolen in the hack.” This complaint poses a number of interesting and novel legal questions, and on its surface, it seems a particularly challenging test-case to successfully assert that DAO members have formed a general partnership.
Check back in for further updates as this case progresses.