In what appears to be an issue of first impression, a California district court ruled that various defendants allegedly holding governance tokens to the bZx DAO (or “Decentralized Autonomous Organization”), a protocol for tokenized margin trading and lending, could be deemed to be members of a “general partnership” under California law under the facts outlined in Plaintiffs’ complaint, and thus potentially joint and severally liable for negligence related to a phishing attack that resulted in the loss of users’ cryptocurrency. (Sarcuni v. bZx DAO, No. 22-618 (S.D. Cal. Mar. 27, 2023)). The ruling is significant given that this is purportedly the first court to substantively consider the legal status of a DAO under state law (albeit in a ruling on a motion to dismiss); interestingly, in a prior settlement the defendant bZeroX, LLC and its founders reached with the Commodity Futures Trading Commission (CFTC) in 2022 over claims that bZeroX and its founders unlawfully offered leveraged and margined retail commodity transactions in digital assets, the order expressly considered the bZx DAO (and its successor Ooki DAO, which is co-defendant in the instant action) as an “unincorporated association” under federal law. (In re bZeroX, LLC, CFTC No. 22-31 (Sept. 22, 2022)).

A DAO is a decentralized autonomous organization where token holders can vote on governance decisions of the DAO. DAOs don’t typically operate within a formal corporate structure, opting instead to distribute governance rights among persons who hold a specific governance token. The entire raison d’être of a DAO is to take advantage of web3 technologies and operate without a traditional corporate formation to make decisions without a central authority or usual top-down management structure. While DAOs are emerging as a viable structure in DeFi space, this ruling shows that their non-traditional makeup may not necessarily be a shield from real world liability.  Plaintiffs’ theory that the DAO members are part of a general partnership means that anyone holding governance tokens at the relevant time would be jointly and severally liable for the torts of the DAO.  To be sure, even though existing structures do not fit the novel web3 organizational primitive that is a DAO, nothing prevented the bZx DAO (or its successor Ooki DAO), from creating a so-called “legal wrapper” or real-world corporate entity to shield individual members from liability and limit potential creditors to monetary recovery from the DAO’s treasury only.

Case Background

This case involves a DeFi application called the bZx Protocol, which was used for “tokenized margin trading and lending” in various cryptocurrencies instead of with traditional fiat currency and securities. To use the bZx protocol, users selected an available blockchain network to use and connected a wallet to deposit crypto. As the court noted, the bZx Protocol claimed to be “non-custodial” because users maintained control over their own passwords and digital assets. The bZx Protocol’s website also purportedly contained numerous statements about the protocol’s security.

When the bZx Protocol was first created, it was controlled by bZeroX LLC, an entity co-founded by Defendants Tom Bean (“Bean”) and Kyle Kistner (“Kistner”) (collectively, the “Co-Founders”). Certain lending and trading products, Torque and Fulcrum, were DeFi platforms built atop bZx and were operated by Leveragebox LLC, which was also co-founded and controlled by Bean and Kistner. In August 2021, the bZx Protocol announced plans to transition control of the protocol from bZeroX LLC to the bZx DAO, a DAO controlled by persons holding BZRX governance tokens issued by the DAO. When the transfer of control was completed in August 2021, bZeroX LLC transferred its assets to the bZx DAO and the LLC dissolved. At that time, the bZx Protocol held $80 million in assets and the bZx DAO became “the main drivers of governance and decision making of the bZx platform.”

In November 2021, an unknown hacker sent a phishing email to a bZx Protocol developer and was then able to transfer all cryptocurrencies held on two specific blockchains out of the bZx Protocol. As a result of the hack, users, including Plaintiffs, identified as bZx Protocol users,^[1] asserted that they collectively lost approximately $55 million worth of cryptocurrency tokens. Subsequently, the bZx DAO approved a compensation plan for affected users which included, in part, “debt tokens,” which the Plaintiffs deemed unsatisfactory. In December 2021, the bZx Protocol encouraged users to transfer to a successor platform called the Ooki Protocol, controlled by the Ooki DAO and holders of governance tokens are called OOKI tokens. Many BZRX tokenholders transferred their tokens for OOKI tokens. Plaintiffs brought this putative class action in May 2022.

Plaintiffs’ complaint advanced a negligence claim against a host of parties, including bZx Protocol co-founders Kistner and Bean, and operators bZeroX LLC and Leveragebox LLC (the “Leveragebox Defendants”), as well as certain investors in the bZx protocol and members of the bZx DAO, Hashed International LLC, and AGE Crypto GP, LLC (the “Hashed Defendants”) (collectively, the “Defendants”). The complaint generally alleges that the bZx protocol and its partners owed Plaintiffs a duty to maintain the security of the funds deposited using the bZx protocol and had a duty to supervise developers working on the protocol related to cybersecurity, and that the developer targeted by the phishing attack owed Plaintiffs a duty to secure passwords against malicious attacks. Notably, Plaintiffs alleged that each defendant is a general partner of the bZx DAO and therefore jointly and severally liable for Plaintiff’s losses. In response, Defendants moved to dismiss, which the court granted in part and denied in part.

General Partnership Issue

The crux of the court’s opinion looked at the Plaintiffs’ theory of partnership liability for the members of the DAO holding BZRZ governance tokens.  California law provides that the “association of two or more persons to carry on as coowners a business for profit forms a partnership, whether or not the persons intend to form a partnership.” Cal. Corp. Code § 16202(a).  The court stated that a plaintiff can plead the existence of a partnership by making specific factual allegations demonstrating: (1) the right of the purported partners to participate in the management of the business; (2) the sharing of profits and losses among the purported partners; and (3) contributions of money, property, or services by the purported partners to the partnership. Applying the language of the statute, the court found that the complaint sufficiently alleged that the DAO is an association of two or more persons that operates as a business for profit through its margin trading and lending products.  As to whether DAO tokenholders are “carrying on as co-owners” and have sufficient governance rights, the court found the complaint plausibly alleged that the BZRX tokenholders possessed governance rights over the DAO since tokenholders can both suggest and vote on governance proposals and spend treasury funds on proposals that garner enough votes.  Moreover, the court noted that the complaint alleged that tokenholders can share in the DAO’s profits either by voting to distribute treasury assets among themselves or via an interest-generating token, thus reinforcing the argument that the DAO should be treated as a general partnership.

As an equitable matter, the Leveragebox Defendants countered that labeling the DAO a general partnership and subjecting BZRX tokenholders to joint and several liability for torts of the DAO would be a “radical expansion” of state corporation laws. The court disagreed.  Interestingly, the court noted that when transitioning control of the bZx Protocol from bZeroX LLC to the bZx DAO, the Co-Founders elected to forgo registering the DAO as an LLC or other legal entity with limited liability.  Taking judicial notice of the order in the CFTC bZeroX enforcement matter, the court stated that it appeared that at the timing of the bZx DAO’s formation, the Co-Founders had professed that the DAO would “insulate” the bZx Protocol from regulatory oversight.  With this backdrop, and implicitly noting that the Defendants must now face the consequences of these past decisions, the court found that Plaintiffs “have stated facts sufficient to allege that a general partnership existed among the BZRX tokenholders.”

Ancillary Issues

The remainder of the opinion applied the general partnership holding and examined whether each defendant was a BZRX tokenholder, a requirement for being a member of the general partnership.  In short, the court found the complaint plausibly alleged the Co-Founders and Hashed Defendants were tokenholders, but that Leveragebox LLC (which operated one of the trading platforms at the time of the hack) and the now-dissolved bZeroX LLC held no tokens. The court also dismissed claims against one of the Co-Founders, Bean, for lack of personal jurisdiction (stating that “[potential] liability and jurisdiction are independent”). One curious part of the opinion concerned the Leveragebox Defendants’ argument that Plaintiffs’ negligence claim was barred by the Terms of Use that users allegedly agreed to when they accessed the Protocol via the web. The court found that the terms were presented as a browsewrap agreement, where a website’s terms are generally posted via a hyperlink at the bottom of the screen, but unlike a clickwrap or other presentation that requires the user to expressly manifest assent to the terms, a user is instead presumed to gives her assent simply by using the website. Here, the court stated that the hyperlink to the appropriate terms appeared at the bottom of the home page, in small font amongst other links and was only visible if a user scrolled through other material. The court refused to dismiss the claims at this juncture, finding that the complaint does not make any claims that Plaintiffs had actual or constructive notice of the terms.

Final Considerations

Ruling on an issue of first impression, the instant case offers the first court decision treating a DAO as a general partnership (absent any underlying “legal wrapper” or other corporate formations or agreements to the contrary) and ruling that anyone holding the appropriate DAO governance token at the relevant time could be jointly and severally liable for the torts of the DAO.  [Similar issues may possibly arise in an ongoing enforcement action brought by the CFTC against bZx DAO’s successor (Ooki DAO)]. To be sure, the California court’s ruling was the opinion of a single district court at the motion to dismiss stage and no definitive judgment on liability has yet issued in the case. Regardless, the ruling is not surprising: DAOs may be an emerging web3 formation that presents a decentralized alternate structure for business and investment, yet it often makes prudential sense for such an entity to create a separate legal entity or “wrapper” (whether under state DAO LLC laws, the Uniform Nonprofit Associations Act, relevant state cooperative laws, or other desired overseas or domestic corporate structures) to represent the DAO in off-chain activities and legal contracting, establish bank accounts, and manage the treasury, not to mention create a real-world legal structure that would generally insulate DAO members from personal liability for DAO affairs yet still allow tokenholders to engage in decentralized decision making on DAO matters. DAOs often eschew the formation of a legal entity because their unique attributes, such as their decentralized and pseudonymity-enabled structure, don’t quite fit the mold provided by existing legal structures’ corporate formalities. In fact, even some DAO LLC laws are noted to be more burdensome than other non-DAO LLC legal entities. While these concerns have been noted in the past, it is expected that this ruling (combined with the increase in both regulatory enforcement and civil litigation involving crypto entities) will spur DAOs to engage counsel to explore the possible legal structures to protect tokenholders from personal liability for DAO actions.

Jonathan Mollod also contributed to this article.

FOOTNOTES

^[1] The putative class includes “[a]ll people who delivered cryptocurrency tokens to the bZx protocol and had any amount of funds stolen in the theft reported on November 5, 2021, except for people whose only cryptocurrency stolen was the BZRX token.”  As the court noted, the amended complaint provides that “[n]one of the Plaintiffs or proposed class held meaningful stakes of BZRX token.” Interestingly, the Leveragebox defendants argued that the class representatives may have held some BZRX governance tokens and therefore would be considered part of the “general partnership” and equally liable under the Plaintiffs’ own theory of liability, thus making them ineligible to be class representatives.  At the motion to dismiss stage, the court put this issue aside for a later time, finding that it was not clear from the complaint whether the Plaintiffs were holders of BZRX tokens and thus at this time, the complaint did not present an “irreconcilable conflict of interest between the named Plaintiffs and the putative class.”  However, the court stated that if discovery reveals actual conflicts of interest between the named Plaintiffs and the putative class, Defendants could renew their motion to strike or Plaintiffs could amend the definition of the putative class.