For those who have followed for some time the law that has developed around blockchain, there is a strong likelihood they associate the term DAO (decentralized autonomous organization) with the well-publicized hack that took place in 2016 with respect to one of the relatively early ICOs (initial coin offering) of an organization called UG. The objective of that DAO — referred to as The DAO — was to operate a for-profit entity that would create and hold assets through the sale of DAO Tokens to investors.

All funds raised were to be held at an Ethereum blockchain address associated with The DAO. DAO Token holders were to vote on contract proposals, including proposals to The DAO to fund projects. They would also vote to distribute The DAO’s anticipated earnings from the projects it funded. After $150 million of DAO Tokens were sold, but before The DAO was able to commence funding projects, an attacker used a flaw in The DAO’s code to re-route to himself approximately one-third of The DAO’s assets. The hack issue was ultimately resolved but the DAO then became famous because the case resulted in the first detailed Report that the U.S. Securities and Exchange Commission wrote on the topic of ICOs, in which it essentially said that ICOs could very well be subject to securities laws, and that the test to be applied to make that determination would be the well-established Supreme Court decision in Howey.

In contrast, there are undoubtedly some who associate a DAO with the Constitution DAO. That now defunct DAO was formed in late 2021 in an effort to purchase an original copy of the United States Constitution. The group raised $47 million in Ether but did not win the bid for the Constitution The organizers of Constitution DAO said they would refund contributions, but that it would be done net of Ethereum fees. Much of the amount raised was never refunded.

A DAO is a “virtual” organization embodied in computer code and executed on a blockchain. The Ethereum website gives the following definition of a DAO.

DAOs are an effective and safe way to work with like-minded folks around the globe. Think of them like an internet-native business that’s collectively owned and managed by its members. They have built-in treasuries that no one has the authority to access without the approval of the group. Decisions are governed by proposals and voting to ensure everyone in the organization has a voice.

There’s no CEO who can authorize spending based on their own whims and no chance of a dodgy CFO manipulating the books. Everything is out in the open and the rules around spending are baked into the DAO via its code.

A recent lawsuit has raised the issue of who is responsible when something goes wrong in a DAO.

According to the complaint in Sarcuni v. bZx Dao, brought in federal court in California, the Plaintiffs deposited cryptocurrency with a protocol called bZx, whose creators told users that they need not “ever worry about . . . getting hacked or [anyone] stealing [their] funds.” Despite this promise of security, the bZx protocol in fact lacked reasonable safeguards; it was hacked and the Plaintiffs’ funds stolen. Allegedly, the hack and subsequent theft were not the result of some complex scheme or unknown vulnerability in the code but, instead, occurred because one of the bZx developers fell for an email “phishing” scam that permitted access to key passphrases that then permitted the hackers to drain Plaintiffs’ accounts because the protocol had not yet implemented security measures that its operators knew were reasonably necessary to protect the protocol. The end result was a total theft of the equivalent of about USD 55 million. The 14 plaintiffs in the putative class action represent USD 1.6 million of that amount.

The Complaint further alleges that the bZx protocol apparently acknowledged its responsibility for the loss since it offered to compensate the victims. However, the compensation plan it put in place was woefully inadequate because Plaintiffs would receive IOUs with no real hope of repayment. In addition, this was not the first hack. In 2020, according to the complaint, bZx suffered three hacks with total losses of approximately $9 million, although $8 million was apparently recovered eventually.

Legally speaking, what type of an entity is a DAO? According to this complaint, the bZx protocol purports to be a DAO without legal formalities or recognition and, because it does not have the limited liability protection of the corporate form, it should be treated like a general partnership. The complaint sites a number of papers that have reached that conclusion. As one example: “[T]he U.S. legal system must clarify the legal status of these organizations and as such should classify the DAO as a general partnership.” See Laila Metjahic, Deconstructing the DAO…, 39 Cardozo L. Rev. 1533, 1536 (2018).

According to the complaint, the two self-professed co-founders of the bZx protocol should be considered partners (and are named defendants). The entities that invested in the bZx protocol as well as those who operated are also defendants. The theory of the complaint is that each of the partners is jointly and severally liable to the Plaintiffs and must make good on the full amount of its debts, including for the negligence that resulted in the losses caused by the hack.

As the case was just filed on May 2, 2022, there has been no defense filed yet. Undoubtedly, this novel theory will be tested, presumably starting with the documents that the investors presumably signed in connection with their investments, including the disclosures and disclaimers that were almost certainly included therein. In any event, it will be interesting to follow how the courts deal worth the issue of the liability of a DAO and those behind it.