A potentially significant decision was reached in the Sarcuni v bZx DAO class action earlier this week. The Court rejected a motion to dismiss brought by DAO members who held governance tokens (BZRX), on the basis that the DAO in question is possibly a general partnership at law, which means token holders could potentially be found to be liable personally for actions of the DAO.
In the ruling, the Judge paid special attention to the apparent attempts made by the founders of the DAO to avoid US laws by transferring ownership from the LLCs to a DAO, citing the founder's own words on this point multiple times throughout the ruling.
Additionally, the judge accepted that the tokenholding members may well have owed the plaintiffs a duty of care based on certain promises made about the security and operation of the bZx protocol. The tokenholding defendants are alleged to have breached their duty of care by failing to maintain adequate security, allowing hackers to access the entire treasury of bZx protocol deposits on the Polygon and Binance chains via a single phishing email to a developer.
The defendants say that transactions in the bZx protocol were non-custodial, as users maintained custody of their assets, which many assume would limit the liability of developers. However, the judgment said:
A successful phishing attack on a bZx developer allowed a hacker to gain access to all of the funds supposedly in [the] Plaintiffs' custody, rendering the distinction between custodial and non-custodial meaningless...
Additionally, the Judge suggested that the ability of the developers to upgrade the smart contract where the key to perform that upgrade is in the hands of a single developer renders the arrangement custodial in truth.
bZx was originally a DeFi margin trading protocol and was transitioned into a DAO controlled protocol in August 2021, before losing USD$55M in a security breach in November 2021. The plaintiffs claim they lost USD$1.7M in the attack, with losses ranging from $800 to $450,000 among 19 users, including lead complainant Mr Christian Sarcuni.
After the security breach, another community called Ooki DAO succeeded bZx DAO, taking ownership of the protocol. The Ooki DAO is currently the subject of an ongoing lawsuit by the CFTC.
DAOs offer many advantages. They can operate globally, but there remains uncertainty as to which laws and regulations of any particular country apply. This creates challenges in identifying where legal liability should fall. DAOs which are properly decentralised typically have no clear legal entity or ownership structure. This can make it difficult to hold anyone accountable for the actions of the DAO, particularly if those actions are illegal/negligent and result in harm to others.
While the decision is on an interlocutor point, and a final hearing is some time away, the case will proceed personally against bZx founder Kyle Kistner, as well as other DAO tokenholders (with the court dismissing claims against those that did not possess DAO tokens). The significant of this case should not be overstated, but it may serve as a precedent for further examination of legal liability within DAO structures.