The Liability of DAOs and Their Founders Has Been Put to the Test in Court

A U.S. Court in California has ruled in favor of plaintiffs who alleged that the bZx protocol, and governance token-holding members of its DAO, were negligent and liable for losses resulting from a hack that drained its treasury.

The putative class action against bZx, its founders, software developers Leveragebox LLC and Hashed Labs LLC was first initiated in July 2022.

While the court dismissed some of the claims, such as claims that founders Tom Bean and Kyle Kistner are personally liable for breaching fiduciary duty, the fact that it allowed the negligence claims to proceed has created a landmark ruling in the relatively murky topic of the liability of governance token holders in DAOs.

The decision implies that DAO members might be held liable for negligence, potentially undermining the already challenged decentralized nature of DAOs, while providing a defense for founders who have seen their creations accused of wrongdoing.

The case stems from the $55 million hack of DeFi lender bZx in 2021, which resulted because a developer downloaded an email attachment containing malware. Not only did the attacker drain the wallet of the BZRX token, but other digital assets like ether. This is on top of other hacks the protocol suffered in 2020, one of which was for $8 million, while two others that occurred were for $630,000 and $350,000.

As a response to the hack, the bZx DAO passed a governance motion to compensate token holders 1:1 for their lost BZRX tokens and a debt repayment plan which would repay holders for their other stolen crypto. The time horizon of this repayment plan was unacceptable for holders, hence the class action suit.

The bZx DAO later rebranded to Ooki DAO, which many – including courts – have called its successor. In late 2022, the DAO’s co-founders paid $250,000 to settle a case with the Commodity Futures Trading Commission (CFTC) regarding off-exchange tokenized margin trading and lending services.

What fiduciary duty and care does a DAO have?

Before the court was the question of whether all persons holding BZRX tokens are part of a general partnership.

At the core of the case are how the concepts of fiduciary duty (the obligation to act in the best interest), the duty of care (the obligation to act without negligence), as well as joint and several liability (a responsibility that is shared by multiple parties), apply to the concept of a DAO and governance token holders. While existing case law has created plenty of guidance on how these concepts apply to TradFi partnership structures like General and Limited Partnerships, DAOs are something of an undiscovered country given their unique structure.

The plaintiffs, citing California law, argued that General Partnerships exist when there is an “association of two or more persons to carry on as co-owners of a business for profit,” including the caveat that partnerships can be unintentional, which is held up by case law.

The court found that the bZx Protocol meets the definition of a General Partnership because of how the token holders can both suggest and vote on governance proposals, including hiring, and dispersing treasury assets to token holders in the same way that a corporation authorizes dividends.

The CFTC took a similar approach in its 2021 complaint against Ooki DAO. As of January, the CFTC is asking a judge for a default judgment in the Ooki DAO case as it hasn’t responded.

“Given this context, the Court disagrees that recognizing the bZx DAO as a general partnership would be a ‘radical expansion and alteration of long-standing principles of partnership law,’” the ruling reads.

And with this comes the liability that arises out of a General Partnership. The involvement that token holders have in the business via participation in governance protocols also means they have a duty of care, the court found, including that the protocol was properly maintained and had sufficient security measures.

Are DAO founders personally liable?

The next question before the courts was whether the founders themselves are liable for the DAO, and if they could be held responsible for their inaction and negligence.

This is where the concept of joint and several liability comes into play. Joint and several liability refers to the legal concept where multiple parties can be held responsible for the same negligent action, and each party can be held liable for the entire amount of damages, regardless of their individual contribution.

If this concept were to be applied to the DAO’s founders, that means each defendant, in theory, would have been held responsible for the damages suffered by the plaintiffs due to the $55 million hack.

But the court found that complaints against developers Leveragebox LLC and Hashed Labs LLC failed to provide the necessary elements to establish claims of negligence, breach of fiduciary duty, and joint and several liability.

“Because Plaintiffs have failed to allege that the Moving Defendants had actual authority to control the bZx DAO, the Court finds that Plaintiffs have failed to allege joint and several liability,” the docket reads.

Separately, a claim against founder Tom Bean was dismissed because the court found that the plaintiffs hadn’t brought sufficient evidence to show that a California court had jurisdiction over him.

However, the court said that it would be receptive to an amended pleading which presents a new argument about jurisdiction.

DISCLOSURE