On May 2, 2022, a putative class action was filed against a decentralized autonomous organization (DAO) and its members1 seeking to recover $55 million in cryptocurrency losses stolen during a hack into the DAO’s decentralized finance (DeFi) platform.

According to the complaint, the bZx protocol is a DeFi protocol governed as a DAO. Fulcrum, one of two products built on the bZx protocol, “permits users to lend tokens and earn interest on those tokens when other people borrow them, like how a U.S. bank or savings-and-loan association takes deposits, lends them out, and pays bank depositors with interest.” Fulcrum requires users to choose one of three blockchains to record and execute the transactions: Ethereum, Polygon, or Binance Smart Chain (BSC). bZx allegedly represented that Fulcrum was decentralized and a “non-custodial” product (i.e., allowing users to maintain custody of their keys and assets). For example, bZx’s homepage says: “Never worry about opaque centralized exchanges getting hacked or stealing your funds.”

In November 2021, a bZx protocol developer fell victim to a phishing attack, and a hacker was able to access the private keys of those using the bZx protocol on Polygon and BSC with the developer’s password. The hacker stole approximately $55 million in cryptocurrency. According to Plaintiffs, the hacker was able to take the funds because, at that time, only the operations on Ethereum were fully decentralized—BSC and Polygon “did not have the protection of the DAO.”

The putative class action claims Defendants were negligent by failing to maintain the security of funds deposited using the bZx protocol and supervise developers of and those working on the protocol. Plaintiffs aim to hold Defendants liable for the developer’s negligence under a theory of respondeat superior.

Plaintiffs also allege that each DAO member is jointly and severally liable for damages because the DAO is a general partnership. Indeed, the success of Plaintiffs’ claims may be contingent on establishing that the DAO “lacks any legal formalities or recognition” and therefore is a general partnership. According to the complaint, “[a]lthough DAOs seem novel, many legal observers who have analyzed [DAOs] have reached the same conclusion” that DAOs are general partnerships.

* * *

The legal status of DAOs is unclear and jurisdiction-specific. As referenced in the complaint, concerns have surfaced that DAOs, by default, are general partnerships, and each of a DAO’s members could be held personally liable for the DAO’s actions. Whether a DAO is a general partnership is a determination that would be made under existing corporate law and would depend on how the DAO is structured and operates. Once a DAO is deemed to be a general partnership, then the DAO’s members could be held jointly and severally liable with the DAO and other DAO members.

However, if a DAO could register as a LLC or obtain alternative legal status, DAO members’ personal liability could be limited. While states have varied in their approach to DAOs, developments in the United States suggest a trend towards according DAOs status similar to that of a traditional LLC.

For example, in July 2021, Wyoming became the first US state to pass a law granting DAOs the ability to incorporate. Under that law, an individual does not have to live in Wyoming to register a DAO, although the DAO must have a Wyoming registered agent who meets certain statutory requirements. In February 2022, Wyoming legislators introduced amendments to the law, which would require the registering DAO to, among other things, define in the articles of organization how members will manage the DAO.

Other states have followed Wyoming’s lead and introduced similar legislation. For example, earlier this year the New Jersey Legislature introduced bills that, like Wyoming, would allow DAOs to register as LLCs under New Jersey’s Limited Liability Company Act, and the Ohio General Assembly introduced a bill to amend the Ohio Revised Code to, among other things, allow DAOs to register as LLCs.

DAOs also have used existing laws to register as legal entities in some states. For example, DAOs have registered as LLCs in Delaware, or as Blockchain-Based Limited Liability Companies (or LLC using a blockchain for a material portion of their activities) in Vermont.

Other countries have also tackled whether and how to provide legal status to DAOs. For instance, on February 15, 2022, the Marshall Islands became the first sovereign nation to recognize DAOs as a separate legal entity. The Non-Profit Entities Act was amended to accord DAOs the same privileges as LLCs. This development may spark a domino effect leading other countries to establish laws recognizing DAOs as a legal entity.

* * *

In this case, the DAO’s members—some of whom may not have been involved in decisions allegedly resulting in the hack—are now exposed to liability due to the DAO’s structure. It is important that those wishing to form a DAO carefully consider whether and where to obtain legal status, as the options and requirements vary by state (and country). However, irrespective of whether or where a DAO obtains legal status, it is important to note that whether a DAO registered in a particular state would maintain its legal status in other forums, such as in a US federal court case, is still unclear.