Comment on page
Sarcuni v. bZx DAO, 22-cv-00618 (S.D. Cal. 2022)
bZx DAO is the creator of the bZx decentralized finance (DeFi) protocol bZx. In broad terms, the protocol is designed to enable developers to create various forms of DeFi tools, such as for margin trading or lending cryptocurrency. The DAO, like many others, functions through voting rights granted by the BZRX token. That token could be traded openly on cryptocurrency exchanges like Uniswap.
Unfortunately, the bZx protocol was subject to a significant security breach that resulted in some US$55 million in cryptocurrency funds getting drained from the protocol. The funds consisted of the BZRX token itself, but also a number of other cryptocurrencies used through the protocol, such as ETH. Despite its massive impact, the hack (as alleged by the complaint) was quite mundane: a phishing email with a Word document attached with a malicious macro. A bZx developer fell for the bait, opened the document, the macro ran, and as a result the developer's private seed phrase for his wallet was compromised, permitting the bad actor to essentially take ownership of the wallet. Once the hacker had control of what turned out to be an absolutely critical wallet, the hacker was able to drain funds that the bZx protocol had access to on two different blockchains (Polygon and Binance), including the BZRX token and others used through the bZx protocol.
This failure of security, the complaint alleges, fell far short of the many security promises made on bZx's website, and the security procedures bZx had actually implemented for its protocol on the Ethereum blockchain.
The plaintiffs in the case all held tokens that were stolen other than BZRX. (They may also have had BZRX stolen as well; it's not clear, and plaintiffs drop a footnote asserting they will not "not reveal the precise loss amount, cryptocurrency token type, and wallet address for each individual plaintiff" to "prevent additional fraud.") This point is crucial to the complaint because of what bZx DAO did next: it voted on how to compensate the victims of the hack. For holders of the BZRX token, the bZx DAO proposed and passed direct compensation 1:1 for the lost BZRX tokens, since the DAO had a significant treasury of these tokens available. However, for those who lost other tokens such as ETH, the bZx DAO proposed and passed a debt payment plan that would "eventually" repay the holders of those tokens. The complaint alleges, however, doing so under the terms of the repayment plan would take "thousands of years." (And remember, if you didn't hold the BZRX token, you couldn't vote on the proposals.)
The plaintiffs allege a single cause of action arising out of these facts: negligence. They propose a class composed of the thousands of individuals "who delivered cryptocurrency tokens to the bZx protocol and had any amount of funds stolen in the theft . . . except for people whose only cryptocurrency stolen was the BZRX token."
The case has drawn national attention at this early stage because it alleges that the DAO is functionally a general partnership, and that its general partners are liable jointly and severally for the actions — or, in this case, mostly the inactions — of the DAO. (Unlike LLCs, LLPs, or LPs, a "general partnership" provides no liability shield to partners/members, and general partners are therefore liable for the obligations of the partnership.)
But as commentators have pointed out, the complaint appears to have a fuzzy theory of who counts as general partner in a DAO. Attorneys at Latham & Watkins opine:
Treating all of the token-holders as general partners, however, would lead to a strange outcome in this instance. As the plaintiffs in the case were users of the bZx protocol, they were likely receiving BZRX tokens as liquidity providers and would themselves be members of the DAO; therefore, they would effectively be jointly and severally liable as general partners. In effect, they are suing themselves.
Stephen P. Wink et al., Decentralized Autonomous Organizations: Piercing the Digital Veil (2022.05.10). In unclear allegations, the complaint suggests, however, that some owners of the token (including, perhaps, the plaintiffs) may not qualify as general partners because they lacked a "meaningful stake" of BZRX tokens. But it fails to specify what a "meaningful stake" is, or how the court should draw that line in this case or any other.
Also at stake are significant jurisdictional issues for members of a DAO. The defendants in the case reside in California, Georgia, Wyoming, and Nevada, but as the team over at Skadden points out, "California generally does not recognize jurisdiction over all of the members of a general partnership merely because one member resides in the state." Stuart D. Levi & Anita Oh, Putative Class Action Lawsuit Alleges DAO Members Are Jointly and Severally Liable for a Cryptocurrency Hack (2022.05.24). Thus even if the plaintiffs may proceed against the California resident members of the bZx DAO and succeed, their ability to enforce any judgment may be slowed down significantly.
Conversely, the suit raises the prospect that members of a DAO could be subject to suit in any jurisdiction the DAO operates, or that the DAO itself could be subject to suit anywhere it has members. The resolution of these jurisdictional issues may have significant impact on how DAOs are formed and what legal wrappers may be applied to them to prevent unwanted results.
Finally, there are a number of class issues that will need to be resolved. The proposed class is one that excludes individuals who held exclusively the BZRX token. But that is probably quite a small group because the purpose of the protocol was not to just use the BZRX token, but to use it to margin trade or lend other cryptocurrencies, with the BZRX token getting distributed as part of the process. That raises an issue similar to determining who is a member of a DAO — who is a proper class member, and how do you determine if there is sufficient commonality among those class members?
For example, many of the proposed class members may have actually voted for the proposals that bZx implemented to compensate victims of the theft. Are their interests aligned with the other members of the class? Do you have to ask each class member personally? And what about the defendants who are probably also members of the proposed class? Is there a tipping point where a class member holds a sufficient number of BZRX tokens that their harm is fundamentally different than others? What is that point and how do you determine it? And if many of the proposed class members are also members of the bZx DAO, is negligence a valid legal claim against your fellow general partner on these facts?
All of these questions (and many more) are likely to come up in the many pages of briefing to follow. How the court resolves them may have significant impacts on DeFi and DAOs.
On March 27, 2023, the District Court largely denied the motion to dismiss of members of the DAO who held governance tokens (BZRX), finding the DAO is plausibly alleged to be a general partnership.
The court placed particular emphasis on the apparent attempt by the founders to evade the application of US law by transitioning ownership from LLCs to a DAO, quoting the founders themselves on this point multiple times.
Further, the court reasoned such members are plausibly alleged to have owed a duty of care to the plaintiffs based on representations made about the security of the protocol and how it functioned. The court also found that the token-holding defendants are plausibly alleged to have breached that duty by having inadequate security—specifically that a single phishing email to a single developer permitted hackers access to the entire amount of bZx protocol deposits on the Polygon and Binance blockchains.
Although much remains to occur in discovery, the case will proceed personally against bZx founder Kyle Kistner as a DAO token holder, as well as other similarly situated defendants. The court dismissed claims against entities that did not hold DAO tokens.