This week, a California district court ruling against members of the bZx DAO demonstrates why DAO operators should have the same accountability under the law as “real” corporations. The ruling is part of a wider class by investor Christian Sarcuni and eighteen other plaintiffs against bZx DAO and a number of its managers, alleging negligence that led to a security lapse that saw hackers make off with US$55 million worth of plaintiffs’ deposited assets.
United States District Judge Larry A. Burns denied several defendants’ motions to strike/dismiss a class action suit against “purported Decentralized Autonomous Corporation” bZx DAO and a number of actual LLCs that effectively led the operation by holding governance tokens. In denying the motions to dismiss, Judge Burns said bZx DAO founders had formed the organization intending to circumvent U.S. company law and that the DAO was effectively the same as a general partnership.
This echoes statements by Bitcoin creator Dr. Craig Wright in a recent The Bitcoin Masterclasses series, where he noted that DAOs are indeed general partnerships under the law and that using new technologies to form those partnerships doesn’t exclude them from legal obligations.
bZx DAO manages the bZx Protocol, which is (surprise) a DeFi application for tokenized margin trading and lending via two products named Fulcrum and Torque. It supports trades on three separate blockchains: Ethereum, Polygon, and BSC (Binance Smart Chain). According to court documents, the project’s homepage touted its security by claiming only protocol developers had access to private wallet keys.
bZx Protocol was initially created by bZerox LLC, with Fulcrum and Torque operated by Leveragebox LLC. However, in August 2021, it announced control of the protocol itself would transfer to bZx DAO, managed by companies and individuals holding a governance token called BZRX. BZRX gave its holders governance and voting proposal rights.
Oops, looks like we got hacked…again
In November 2021, an unknown attacker sent a legitimate-looking phishing email to a single bZx Protocol developer with malicious code in a Word file attachment. When the document was opened, it gave the attacker access to the developer’s own wallet keys and, subsequently, access to all wallets. The hacker then drained all assets held on the Polygon and BSC blockchains (by chance, Ethereum deposits were untouched due to a delay in implementing separate security protocols).
bZx DAO responded to the theft in a very DeFi way—it replaced stolen BZRX tokens and created “debt tokens” to be repurchased gradually until victims had their funds back again. It also created a successor platform called Ooki DAO and protocol, and encouraged DAO members to swap their BZRX tokens for new OOKI governance tokens.
The plaintiffs say they lost US$1.7 million in assets between them and complained that it would take “thousands of years” to recoup their losses via the DAO’s restitution plan. They filed a class action suit in June 2022, claiming bZx DAO’s negligent security approach led to the hack.
bZx DAO had already lost around US$9 million in three previous hacks, at least one of which was a phishing attack similar to the one in November 2021.
Feels like we’ve been here before
Just as the emergence of blockchain digital assets allowed speculators to flourish under the fantasy of “finance, but without finance laws,” DAOs (decentralized autonomous organizations) have presented a similar illusion: you can have a company or partnership, but without corporate regulation. In 14 years of blockchain history, both examples have presented many cases that show why laws and legal obligations existed in the first place.
Last December, we predicted, “The law is coming for DAOs,” saying that merely applying new technology to a partnership and allowing decentralized governance doesn’t magically put them above the law. At the end of the day, it’s an organization governed by real-world human individuals who benefit from its actions, just like a legal company or partnership.
Blockchain law commentator Lawtoshi tweeted, “This case should be closely examined by anyone thinking about legal liability in the DAO space”:
Very significant ruling in the Sarcuni v. bZx DAO putative class action this evening. The court has denied the motion to dismiss of members of the DAO who held governance tokens (BZRX), finding the DAO is plausibly alleged to be a general partnership. https://t.co/XzOdRO8qck…
— Lawtoshi (@lawtoshi) March 28, 2023
What the technology does allow is for a company-like organization to form outside the legal registration process, and governance tokens to be held with the same kinds of identity shields as blockchain digital assets. Knowing this and looking at the history of digital assets, DAOs, scams and hacks, investors should join such organizations or commit large quantities of money to them only at their own risk. However, like digital assets, DAO governance tokens don’t shield their holders completely—there’s always every chance they’ll have their real-life identities exposed either through leaks or after more thorough investigations.
I tried to warn people.
The law has a default. It is worse than the option of registering to ensure you register. https://t.co/3dYdYoOCvA
— Dr Craig S Wright (@Dr_CSWright) March 28, 2023
Where DAO managers can be identified, company law can be applied just as it would to a legal LLC, partnership, or other corporate structure. Even if those managers prove challenging to identify or track down to a friendly jurisdiction, all it really does is increase the risk investors and other DAO members take when they jump in.
Watch: SEC Commissioner Hester Peirce on Bitcoin Association’s Blockchain Policy Matters
New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.