Putative Class Action Lawsuit Alleges DAO Members Are Jointly and Severally Liable for a Cryptocurrency Hack

Skadden Publication / The Distributed Ledger: Blockchain, Digital Assets and Smart Contracts

Stuart D. Levi Anita Oh

A first-of-its-kind putative class action lawsuit filed in the Southern District of California is testing the legal argument that a decentralized autonomous organization (DAO) is a general partnership exposing its members to joint and several liability. In this case, Sarcuni et al v. bZx DAO et al. (S. D. Cal., May 2, 2022), the plaintiffs allege that bZx DAO, its co-founders and its members are jointly and severally liable for negligence by failing to adequately secure a decentralized finance (DeFi) protocol, resulting in the theft of $55 million.

Background on DAOs

The philosophy behind DAOs is to expand to corporate governance the concept of decentralization that underlies cryptocurrencies and much of the decentralized finance space. In a typical DAO, decision-making authority is vested in all of the holders of the token that is native to the DAO rather than concentrated in a smaller group, such as an executive team or board, as is the case in more formal legal structures. Many groups that advocate for decentralized structures assert that DAOs are essential to operate and manage blockchain and DeFi protocols to achieve true decentralization.

While various legal structures protect partners, members or shareholders from liability, whether members of a DAO that has no formal legal structure enjoy protection from personal liability remains an open question. In April 2021, Wyoming passed a law extending traditional legal protections to DAO members that organize as a Wyoming LLC. However, unless a DAO is formed as an LLC under the Wyoming law or otherwise organized as a formal legal entity, the imputed structure of a DAO is likely to be considered that of a general partnership.

The Uniform Partnership Act defines a general partnership as a group of individuals working together to make a profit, which definition, some would argue, also describes the essence of certain DAOs. If a DAO is presumed to be a general partnership, its members, as partners of the DAO, could be jointly and severally exposed to personal liability for all the actions and debts of the DAO. Each partner would also owe the other partners a fiduciary duty. One of the reasons that Wyoming adopted its DAO LLC law was to address this general partnership concern. The bZx case highlights the risks posed to members of a DAO who are not operating under a formal legal structure and who may instead be deemed a general partnership.

The bZx Protocol Hack

bZx is a DeFi protocol “for tokenized margin trading and lending.” On November 5, 2021, hackers used a phishing attack directed to one of bZx’s developers to gain access to the developer’s wallet and the private keys that controlled access to the Binance Side Chain and Polygon deployments of bZx. With those keys, the hackers were able to steal $55 million of cryptocurrency from the account of bZx users.

While the bZx protocol was initially developed and controlled by two LLCs, which were in turn controlled by two co-founders, control was transferred to bZx DAO in August 2021. This DAO was controlled by anyone who held a BZRX token, which granted certain voting rights and control over the bZx treasury. Following the hack, the DAO adopted a compensation plan to reimburse users, a plan that the complaint alleges would “take thousands of years” to repay those affected.

The Class Action Lawsuit

On May 2, 2022, fourteen international plaintiffs who are citizens of a number of countries including China, France, Italy, Kazakhstan, the United States and the United Kingdom filed a putative class action lawsuit against bZx DAO, the DAO’s two co-founders, two limited liability companies that invested in the DAO and contributed to governance decisions, and other defendants in the Southern District of California, alleging simple negligence. The various individual plaintiffs lost from $800 to $450,000 as a result of the attack.

The crux of the complaint was that despite bZx’s numerous statements regarding the security of the protocol, operators of the DAO had not yet implemented security measures that they knew to be reasonably necessary for the Polygon and Binance Smart Chain. Such measures were never implemented, according to plaintiffs, even in the wake of three separate hacks of the bZx protocol in 2020 with total losses of approximately $9 million, of which $8 million was apparently recovered. Notably, bZx had transitioned the Ethereum implementation of the protocol away from any single developer holding a key that would grant access to all of the funds, but at the time of the phishing attack had not yet done so for the Polygon and Binance Smart Chain implementations. Thus, the plaintiffs alleged a claim of negligence against bZx DAO and the other defendants based on the following:

  • The bZx protocol and its partners owed users a duty to maintain the security of funds deposited using the protocol, including to supervise developers and those working on the protocol so that important passwords or security details could not be obtained through a single person.
  • The unnamed developer working on behalf of bZx, as the holder of the private keys, owed users a duty to secure such passwords against malicious attacks.
  • The defendants are liable for the developer’s actions under a theory of respondeat superior, through which an employer can be held legally responsible for the wrongful acts of an employee or agent acting within the scope of such employment or agency. Although unstated, the implication is that even though control of the Polygon and Binance Smart Chain implementations of bZx had not yet been handed over to the DAO, the DAO was nonetheless responsible for the actions of the developer who was a member of the core team.

Most importantly for those considering whether to implement a DAO structure, the complaint alleges that because the DAO lacks any legal formation or recognition, it is a general partnership and thus its members are jointly and severally responsible for “making good” to the plaintiffs for their collective loss of an estimated $1.6 million. The plaintiffs are seeking full compensation for their losses, along with putative damages and attorneys’ fees.

The complaint demands a jury trial, and the plaintiffs propose to certify the class as all people who delivered cryptocurrency tokens to the bZx protocol and had any amount of funds stolen in the theft reported on November 5, 2021, except for people whose only stolen cryptocurrency was the protocol’s native BZRX token. The law firm representing the plaintiffs in this class action lawsuit previously filed a case in New York, alleging that a decentralized finance operator is operating an illegal lottery in New York.1 Although that case does not mention a DAO, it also seeks to charge individual investors in the protocol.

Key Takeaways

The bZx lawsuit highlights the risks of operating a DAO without any formal legal structure. Without such a structure, DAO members may, in certain cases, be jointly and severally liable, which liability could possibly extend even to those members who may not have been involved in decisions allegedly resulting in losses or other issues.

Also, the jurisdictional questions in this case may prove to be interesting. California generally does not recognize jurisdiction over all of the members of a general partnership merely because one member resides in the state. Likely for this reason the complaint leans heavily on the assertion that the DAO’s activities were controlled from California. As this case moves forward, jurisdictional issues may prove to be a point of contention.

Finally, the plaintiffs’ class in DAO cases may be instructive, as those who were impacted by the actions of a DAO, and therefore potential plaintiffs, were probably also members of the DAO and hence liable for the DAO’s activities. Whether a general partner can sue another general partner for the activities of the general partnership will likely be a point of dispute in the bZx lawsuit.


1 Kent v. PoolTogether, Eastern District of New York, No. 21-cv-6025

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.