Landmark Ruling: Are DAO Token Holders Liable for Hacks? The bZx Case Explained

In a groundbreaking decision that’s sending ripples through the crypto world, a California federal court has ruled that members of a Decentralized Autonomous Organization (DAO) could be held liable for negligence. This ruling, stemming from a class-action lawsuit against the bZx protocol DAO, could redefine how we perceive DAOs and the responsibilities of their governance token holders. If you’re involved in DAOs, hold governance tokens, or are simply curious about the legal landscape of decentralized finance (DeFi), this case is a must-understand.

What Happened with bZx Protocol? A Series of Unfortunate Events

Before we dive into the legal intricacies, let’s recap the story of bZx protocol. bZx, now rebranded as Ooki DAO, is a DeFi lending platform. Unfortunately, it’s also become known for a series of security breaches:

• 2020 Hacks: bZx suffered multiple hacks in 2020, including one for $8 million and two smaller ones totaling nearly $1 million.
• 2021 Mega-Hack: In 2021, the protocol experienced a significant $55 million hack. This particular breach, reportedly caused by a developer inadvertently downloading malware from an infected email attachment, led to the emptying of the BZRX token wallet and other digital assets like Ether.

These repeated security incidents, particularly the large-scale 2021 hack, triggered significant user losses and ultimately fueled the class-action lawsuit that led to this landmark court ruling.

The Class Action Lawsuit: Who Sued Whom, and Why?

Frustrated by the losses and the DAO’s proposed repayment plan, which was deemed too slow by many, a group of plaintiffs initiated a class-action lawsuit in July 2022. The lawsuit targeted:

• bZx Protocol DAO: The decentralized organization itself.
• Governance Token Holders: Members holding BZRX tokens, who participate in the DAO’s governance.
• Founders: Tom Bean and Kyle Kistner, and their software development companies, Leveragebox LLC and Hashed Labs LLC.

The core argument of the plaintiffs was that the defendants were negligent and liable for the losses resulting from the hack. They claimed that the DAO, its members, and founders failed to exercise reasonable care in securing the protocol, leading to the preventable breach.

Court Ruling: Negligence Claims Against DAO Members Can Proceed

Here’s the crucial part: the California federal court, while dismissing some claims, allowed the negligence claims against the bZx protocol DAO and its governance token holders to move forward. Specifically, the court:

• Dismissed Breach of Fiduciary Duty Claims Against Founders: The court found insufficient grounds to hold founders Tom Bean and Kyle Kistner personally liable for breach of fiduciary duty.
• Allowed Negligence Claims Against DAO Members: This is the landmark aspect. The court decided that the negligence claims against the DAO and its governance token holders could proceed. This implies that DAO members, simply by holding governance tokens and participating in voting, could be held responsible for the DAO’s actions (or inactions) if negligence is proven.

This ruling is significant because it directly addresses the murky area of DAO member liability, a topic that has been debated extensively in the crypto space.

Why Are Governance Token Holders Potentially Liable? The General Partnership Argument

The court’s reasoning hinges on the concept of a “general partnership” under California law. Here’s how it breaks down:

California General Partnership Definition: According to California law, a general partnership exists when there is an “association of two or more persons to carry on as co-owners of a business for profit.” Crucially, partnerships can be formed unintentionally; formal agreements aren’t always necessary.

Court’s Application to bZx DAO: The court determined that the bZx Protocol met this definition because:

• Association of Persons: Token holders are associated through the DAO structure.
• Co-ownership of Business: Token holders, through governance votes, have control over the protocol’s operations, treasury, and direction. This control, the court argued, equates to co-ownership of the “business” of the bZx protocol.
• Profit Motive: While DAOs are often presented as decentralized and community-driven, many, including bZx, operate with the aim of generating value and profit for their token holders (even if indirectly).
• Governance Rights as Partnership Actions: The court highlighted that token holders can propose and vote on critical governance matters, such as:
  • Hiring decisions
  • Treasury management
  • Distribution of assets (akin to corporate dividends)

  These actions, the court reasoned, are akin to the decisions made by partners in a traditional business partnership.

This interpretation aligns with a similar stance taken by the Commodity Futures Trading Commission (CFTC) in its 2021 complaint against Ooki DAO, further suggesting a growing trend in legal and regulatory perspectives on DAOs as potentially unincorporated associations or partnerships.

Implications of the Ruling: What Does This Mean for DAOs and Token Holders?

This court ruling has several significant implications for the DAO ecosystem:

• Increased Liability for DAO Members: Governance token holders may now face potential liability for negligence related to the DAO’s operations, security, and decisions. This could move beyond just losing the value of their tokens and extend to personal financial responsibility in certain circumstances.
• Potential Impact on Decentralization: The ruling could challenge the perceived decentralized nature of DAOs. If token holders are held liable, it might discourage participation in governance, particularly among individuals less willing to take on legal risks. It could also lead to more centralized decision-making within DAOs to mitigate risks.
• Due Diligence and Duty of Care for DAOs: DAOs and their developers will likely face increased pressure to implement robust security measures and exercise a higher degree of care in their operations. This could lead to more rigorous security audits, better coding practices, and potentially insurance mechanisms for DAOs.
• Uncertainty and Evolving Legal Landscape: This is just one ruling in one jurisdiction. The legal landscape for DAOs is still evolving. Other courts in different jurisdictions might interpret DAO structures differently. This case, however, provides a crucial precedent and highlights the growing scrutiny of DAOs under existing legal frameworks.
• Defense for Founders?: Paradoxically, while increasing potential liability for token holders, the dismissal of claims against founders personally (in this specific case) might offer some level of defense for founders of DAOs accused of wrongdoing. It suggests that the liability might primarily rest with the DAO itself and its governance participants, rather than the initial creators, at least in cases of negligence rather than direct fraud or malfeasance.

Key Legal Concepts at Play: Fiduciary Duty, Duty of Care, and Joint Liability

The bZx case brings to the forefront several crucial legal concepts that are now being applied to the novel structure of DAOs:

• Fiduciary Duty: This is the obligation to act in the best interests of another party. While the court dismissed fiduciary duty claims against the founders, the broader question of whether DAO members owe a fiduciary duty to each other or to the DAO itself remains open and complex.
• Duty of Care: This is the obligation to act with reasonable care and avoid negligence. The court’s decision to allow negligence claims to proceed underscores the importance of duty of care for DAOs and their members. Failing to implement adequate security measures could be construed as a breach of this duty.
• Joint and Several Liability: This legal principle means that multiple parties can be held responsible for the same liability, and a plaintiff can recover the full amount of damages from any one of the liable parties, regardless of their individual contribution to the harm. If a DAO is deemed a general partnership, token holders could potentially face joint and several liability for the DAO’s debts and obligations, including liabilities arising from negligence.

Conclusion: A Turning Point for DAO Governance and Liability?

The California court ruling in the bZx protocol case is a significant moment for DAOs and the broader crypto space. It signals a potential shift in how DAOs are legally perceived and the responsibilities of those who participate in their governance. While the full implications will unfold as this case and others progress, it’s clear that the era of viewing DAO governance as entirely risk-free and without real-world legal consequences may be coming to an end.

For DAO participants, developers, and legal professionals alike, this ruling serves as a crucial reminder of the evolving legal landscape and the need for careful consideration of liability, security, and governance within decentralized autonomous organizations. The question now is: how will this ruling shape the future of DAO governance and the balance between decentralization and accountability?