Governance Tokens Might Come With Legal Liability, US Judge Says
bZx DAO and Founders Were Sued After $55M HackDeFi News
The DAOs that govern supposedly decentralized crypto protocols have been pitched as 21st-century cooperatives whose members share in decision-making and, sometimes, profits.
According to a federal judge in California, they could share legal risk, too.
Owners of BZRX, a so-called governance token, could be held liable for a $55M hack, District Judge Larry Burns wrote on Monday in an order allowing a class-action lawsuit to move forward.
At stake are questions that get to the very heart of decentralized finance – what does it mean for an organization to be decentralized? What obligations do members of a DAO have to each other, and to the people who use the protocol they ostensibly control?
The defendants — bZx DAO and its founders — had asked the judge to dismiss the lawsuit, arguing their membership in a decentralized autonomous organization meant they did not have custody of the crypto that users deposited in the bZx protocol, nor a duty to the protocol’s users.
In rejecting the request, Burns noted BZRX tokens grant control of the protocol and the revenue it generates, criteria commonly used to determine a business’s ownership. And the protocol was hacked after a bZx developer fell for a phishing scam, “rendering the distinction between custodial and non-custodial meaningless,” he wrote.
The founders could be “general partners,” the judge concluded, a category of business owners that are not protected from legal liability, as the owners of an LLC usually are.
Attorneys with DAO clients who spoke to The Defiant stressed that the judge had not ruled that BZRX holders are general partners, only that the claim was plausible and that the lawsuit should therefore move forward.
Nevertheless, the order is a warning to DAOs that are decentralized in name only. That one bZx developer had access to the DAO’s treasury is a clear signal that control of the protocol was not meaningfully distributed, attorneys said.
“I think it’s kind of continuing a trend, where courts and really the whole system is — very predictably, frankly — ignoring a lot of the formalities put in place,” Zach Rosenberg, principal at Degen Legal, told The Defiant. Instead, courts are looking “more to the actual implementation of governance, of admin control, of actual activity.”
Tom Bean and Kyle Kistner launched the bZx protocol in 2019. At the time, it was controlled by their company, bZerox LLC. Two years later, they announced they would transfer control of the protocol from bZerox to a bZx DAO run by people who hold BZRX tokens.
“We’re going to be really preparing for the new regulatory environment by ensuring bZx is future-proof,” Kistner said on a call describing the transition. “ What we’re going to do is take all the steps possible to make sure that when regulators ask us to comply, we have nothing we can really do because we’ve given it all to the community.”
A couple of months later, a developer at bZx clicked on a malicious document attached to an inconspicuous email. Malware within the document allowed a hacker to access the keys to the developer’s crypto wallet. Access to the wallet, in turn, allowed the hacker to drain all of the protocol’s assets on Polygon and Binance Smart Chain, now known as BNB. bZx was also live on Ethereum, but security measures prevented the hacker from draining users’ crypto there.
The 19 plaintiffs lost a cumulative $1.7M, according to the judge’s order.
Decentralized vs. Trustless
“People in the industry conflate decentralization with trustlessness. Just because there are lots of members in the DAO, [that] does not mean that the protocol itself is trustless,” Rosenberg said. “If one developer can get hacked, and the entire protocol was drained on two separate chains, that’s pretty indicative that this was not a trustless system.”
Eric Hess, the founder and managing counsel of Hess Legal, said decentralization is a “trap for the unwary.”
“Just because an organization calls itself a DAO, [that] doesn’t mean it is a DAO. The autonomous aspect of it can be extremely challenging,” he said. “By the same token, there is no such thing as a DAO immaculate conception. Nothing is born a DAO. There are growing pains in achieving DAO-hood.”
But that puts developers committed to decentralization in a bind, according to Rosenberg: they can release upgradeable code and open themselves to legal liability. Or they can release immutable code, which can never be modified, even if a critical bug is found.
According to Erich Dylus, an independent attorney who advises DAOs, the notion that a DAO and its members could fit the definition of “general partnership” is “certainly not a shock to a lot of lawyers.”
But the judge’s apparent belief that holding governance tokens is tantamount to general partnerships is “super, super troubling,” he said.
“You don’t even have to consent to receive a governance token,” he explained. “You might not even know you’re holding a governance token. Traditionally, entry [and participation in] a general partnership … involves something a little more than that.”
Trying to identify every BZRX holder would likely prove unworkable, Hess said. Trying to enforce a court order on them would be harder still.
“Presumably, they’re not even identified. They’re not doxxed,” Hess said. “Good luck enforcing a court order against someone who is a passive participant in the DAO.”
In his order, Burns suggested participation in governance could determine whether a BZRX holder is, in fact, a general partner.
“[Then] it becomes a question of what governance activity actually does,” Dylus said. Are votes taken on-chain? Do they self-execute? Or do token holders participate in Snapshot votes that need someone else to execute the requested change?
A DAO that takes the latter route is “more likely to fall victim to a legal entity classification it doesn’t want,” Dylus said.