A California federal court recently held that all governance token holders were responsible for any losses suffered in a security incident. Specifically, the court, in denying a motion to dismiss, ruled in part in favor of a putative class of plaintiffs (Plaintiffs) in a lawsuit against the bZx decentralized autonomous organization (DAO) protocol (both its DAO and LLC), its founders, its successor entity Ooki Dao, and its software developers Leveragebox LLC and Hashed Labs LLC (collectively, Defendants). Plaintiffs alleged that the bZx DAO and holders of its governance token holders were negligent and liable for losses stemming from a security hack that emptied the DAO’s treasury. Specifically, Plaintiffs alleged that they were injured by Defendants’ negligence after a developer working for the bZx DAO was successfully targeted by a phishing attack, leading to the theft of $55 million in cryptocurrency. The 19 named Plaintiffs collectively lost $1.7 million.
This overview focuses on the facts and holdings most relevant to DAOs, governance token holders, and investors in DAOs, and therefore does not include a discussion of all of the decision’s holdings. At the outset, it is important to note the posture of the court’s decision. When deciding on a motion to dismiss, a court makes rulings on whether a complaint contains allegations sufficient to state a plausible claim. A court is required to accept allegations as true at this stage. A claim’s plausibility depends on whether the factual allegations supporting that claim permit “the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Stated more plainly, this does not mean that the court is holding that a defendant is liable; rather, the court is simply holding that the complaint contains allegations that, if true, support the claim of liability. While this is an important decision — and one that could have widespread implications for DAO token holders and their liability for actions of the DAO — there has been no finding of liability.
High-Level Facts Relating to the Hack
The bZx protocol operates on a few blockchains, including Polygon, BSC, and Ethereum. On or about November 5, 2021, an unknown hacker sent a phishing email to a bZx protocol developer’s personal computer, which included a Word document containing hidden malicious software. Once the Word document was opened, the hacker was able to access the developer’s personal digital wallet, which in turn provided access to the developer’s private key. Upon obtaining the private key, the hacker was able to transfer all cryptocurrencies held on the Polygon and BSC blockchains out of the bZx protocol. (The Ethereum blockchain was not affected because the protocol had implemented certain security actions.) As a result of the hack, users lost approximately $55 million worth of cryptocurrencies.
The court noted that the bZx protocol had been hacked previously; in 2020, bZx was targeted by three hacks, with collective losses of approximately $9 million. At least one of the 2020 hacks also involved a phishing attack.
A couple of weeks after the November 2021 hack, the bZx DAO approved a compensation plan for victims of the hack, which, among other things, compensated anyone who lost the bZx DAO’s governance tokens with replacement tokens, tokens that would vest over time, or “debt” tokens (intended to be gradually repurchased by the protocol as another way to make victims whole). In December 2021, the bZx protocol encouraged users to transfer to its successor platform Ooki DAO (Ooki). (In late 2022, Ooki’s co-founders settled a case with the Commodities Futures Trading Commission [CFTC]. For additional discussion of the CFTC’s action — wherein the CFTC took a similar approach to that of the court in the bZx action — please see “CFTC Attempts to Extend Liability to DAO Participants.”)
Plaintiffs’ main theory is that the bZx functioned as a general partnership and that each Defendant — including holders of the bZx DAO’s governance token — is a “partner” of the DAO, a designation that has obvious ownership and liability implications. Plaintiffs further allege that:
- the protocol and each of these so-called partners owed Plaintiffs a duty to “maintain the security of the funds deposited using the bZx protocol, including but not limited to putting in place procedures such that a phishing attack on a single developer would not result in a multimillion-dollar theft”;
- the creators of the bZx Protocol “told users that they need not ‘ever worry about . . . getting hacked or [anyone] stealing [their] funds";
- the “bZx protocol and its partners also owed Plaintiffs a duty to supervise developers and those working on the protocol such that important passwords or security details could not be revealed through the actions of a single developer"; and
- the developer targeted by the phishing attack “owed Plaintiffs a duty to secure [passwords] against malicious attacks,"
Important Holdings for DAOs, Governance Token Holders, and Investors in DAOs
Before the court were two questions most relevant to DAOs, governance token holders, and investors: whether Plaintiffs’ complaint sufficiently alleges that (1) the bZx DAO is a general partnership, and (2) that each Defendant is a partner in that partnership.
On the first question, the court analyzed whether all persons holding the bZx DAO’s governance tokens were part of a general partnership. Plaintiffs argued that (under California law) general partnerships form or exist when there is an “association of two or more persons to carry on as co-owners of a business for profit.” Plaintiffs also argued that the formation of a partnership can be unintentional. The court found that the bZx protocol meets the definition of a general partnership because of allegations concerning how governance token holders can suggest and vote on governance proposals, including hiring and dispersing treasury assets to token holders (not dissimilar from the way a corporation authorizes dividends) and the alleged fact that the bZx DAO generates profits through its products. And because the complaint sufficiently alleged that a general partnership existed, the court held, so could the liability that arises out of a general partnership.
Again, the court did not make an ultimate conclusion as to liability at this stage, but theoretically, this means that all of the “partners” (i.e., governance token holders) would be liable for all of the liabilities of the entity, regardless of their lack of control or actions, and it makes all general partners’ individual assets reachable for the entity’s liabilities. The court further held that governance token holders have a duty of care by virtue of their involvement and participation in, and decision-making control over, the protocol. This duty, the court found, included ensuring that the protocol had sufficient security measures and controls.
On the second question, the court analyzed whether each Defendant was alleged to have held governance tokens or whether it could be reasonably inferred from the complaint’s allegations that a Defendant held governance tokens. The court specifically noted that “[b]ecause anyone holding a [governance] token is a partner in the partnership, Plaintiffs can make this showing by specifically alleging that each Defendant held [governance] tokens.” Where the court found that Plaintiffs alleged that a Defendant held governance tokens or that Plaintiffs’ allegations could support a reasonable inference that a Defendant held a governance token, the court found that the Defendant was a partner in the partnership, such that they could be held liable under the general partnership liability theory. As to the Defendants for which either Plaintiffs failed to allege that those Defendants held governance tokens or Plaintiffs’ allegations could not support a reasonable inference that those Defendants held governance tokens, the court found that those Defendants were not partners in the DAO, such that they could not be held liable under the general partnership liability theory.
Practical Ramifications and Recommendations
There are a few significant takeaways from this decision as it applies to DAOs, governance token holders, and investors in DAOs.
- All governance token holders were liable for damages relating to the hack, including investors. While plaintiffs, the CFTC, and courts have analogized DAOs to a general partnership, this holding takes that finding a step further to hold that all governance token holders, not just the DAO founders or active, voting participants, are liable for all the actions or failures of the DAO. This decision obviously has concerning implications for all governance token holders, including investors and passive holders. It also further demonstrates the importance of governance token holders and, in particular, the primary “leaders” of the DAO to own and vote any tokens through appropriate corporate or foundation structures rather than personally. DAOs should similarly consider implementing legal structures with liability protection; this decision reinforces the importance of not only doing so, but doing so quickly.
- DAOs should continue to develop and maintain robust controls surrounding phishing attacks, password protection, etc., to guard against theft of API keys and other sensitive information. For example, a DAO could use multisig functionality and control mechanisms to prevent any single point of vulnerability to a phishing attack like the one in this case. DAOs should similarly ensure that any DAO member who has access to sensitive security information is engaging in practices to securely safeguard the information.
- DAOs should regularly implement security enhancements, recommendations, checks, and tests to ensure that all on-chain activity is protected by the most up-to-date security features.
- DAOs should not make any statements that could be construed as guaranteeing or overselling the security of its protocol or its ability to make victims whole.