Sarcuni et al. V. bZx DAO: who’s responsible for DAOs actions?
The question in the title will be addressed to the United States District Court, Southern District Of California, as a result of the class action brought by the attorneys of Mr. Christian Sarcuni and a bunch of other crypto investors. According to them, bZx and its members are jointly liable for failing to “secure” a DeFi protocol from which tokens worth US$55 million were stolen. The bZx protocol was initially developed and under the control of two limited liability companies (bZeroX LLC and Leveragebox LLC, both controlled by co-founders Tom Bean and Kyle Kistner), later transferred to DAO bZx in August 2021.
In the U.S., some states already implemented laws that allow a DAO to be organized as an LLC as to provide protection for DAO members. Generally, however, a DAO which is not constituted in the form of a corporation, could be considered a “General Partnership,” regulated by to the Uniform Partnership Act. This would inevitably result in the joint and several liability of all DAO members.
This is what Sarcuni and the other plaintiffs of the class action in comment are looking for.
On November 5, as a result of an attack by unknown persons, cryptocurrencies with a total countervalue at the time of the theft of about 55 million USD were stolen from the DAO.bZx is a DeFi platform describing itself as “a protocol for tokenized margin trading and lending.” According to its website, “it is a financial primitive for shorting, leverage, borrowing, and lending that empowers decentralized, efficient, and rent-free” transactions on the blockchain, as reported on the complaint.There are two “products” built on the bZx protocol: Fulcrum and Torque. The one primarily used in this case is called Fulcrum, which the protocol’s website says is a “DeFi Margin Lending and Trading Platform”. Fulcrum permits users to lend tokens and earn interest on those tokens when other people borrow them, like how a U.S. bank or savings-and-loan association takes deposits, lends them out, and pays back depositors with interests. The second one is Torque, which provides for “Indefinite-term Loans with Fixed Interest Rates”.
Even though bZx claims that Fulcrum is “non-custodial”, which means that users maintain control of their own keys and assets, and that users should “never worry about being hacked or someone stealing their funds”, plaintiffs argue that “a single password was sufficient to access all of the client funds on two of the three blockchains on which Fulcrum operated. The holder of that password, therefore, had custody of the client funds and had a legal duty as custodian to exercise reasonable care to protect the funds”.
Apparently, the protocol “had not yet implemented the security measures that its operators knew were reasonably necessary to protect the protocol“, as can be read on the complaint. As a result, a successful “phishing” attack on a bZx developer allowed hackers to gain access to key passphrases that then allowed them to drain plaintiffs’ Accounts.
Plaintiffs claim that the bZx DAO operates as a general partnership and, as such, its participants are jointly and severally liable to the protocol users for the loss of funds resulting from the hacking. To resolve this problem, a compensation proposal involving the issuance of replacement tokens and a repayment plan lasting several years has been put to a vote, but the plaintiffs argue that it is inadequate. The class action was proposed by 14 different plaintiffs from different parts of the world.
Needless to say, it will be very interesting to see the outcome of this litigation as to whether or not a DAO exposes all its members to liability and lawsuits of this kind. And as the questions about the legal frameworks of DAOs are multiple and challenging, let us suggest this paper by Chris Brumer (Georgetown University) and Rodrigo Seira (General Counsel in Paradigm), who delve into and offer an analysis of the legal institutions applicable to DAOs.
