Greater risks facing DAOs and their tokenholders from recent court rulings

Recent court rulings have heightened the risks that "DAOs"—decentralized autonomous organizations—and the holders of DAO tokens may face when parties assert claims against them in litigation arising out of DAO activity. These rulings show that conducting activities through decentralized structures may not be sufficient to immunize the persons involved and the DAO itself from liability exposure.

In CFTC v. Ooki DAO, 2022 WL 17822445 (N.D. Cal. Dec. 20, 2022), the court held that it was possible for a DAO to be sued as a kind of legal entity. In that case, the court ruled that the defendant DAO could be treated as a legal entity and thus served with process as a defendant because it met the qualifications for being an "unincorporated association" under California state law. Citing Cal. Corp. Code §18035(a), the court held that such status requires only "an unincorporated group of two or more persons joined by mutual consent for common lawful purpose, whether organized for profit or not," where such persons "function under a common name under circumstances where fairness requires the group be recognized as a legal entity." According to the court, "[f]airness includes those situations where persons dealing with the association contend their legal rights have been violated."

The court rejected arguments that a DAO was not an entity but merely a "technological tool" that could not be sued. Rather, the court viewed the DAO as being a group of two or more people. Moreover, the court held there was no requirement that the individual tokenholders in the DAO be named as the defendants, or as codefendants, in order for a suit against the DAO as an entity to be able to proceed. Thus, in that case the Commodities Futures Trading Commission was able to proceed with asserting claims against the DAO itself as a defendant, and to serve process upon it.

The picture for DAOs and their tokenholders darkened further in Sarcuni v. bZx DAO, 2023 WL 2657633 (S.D. Cal. Mar. 27, 2023). In that case, a different court held that a negligence claim by platform users for losses stemming from hacking could be asserted not only against the defendant DAOs themselves but also against persons holding their tokens, where those tokenholders were sufficiently alleged to be members of a general partnership. As members of a general partnership, the individual tokenholders would face vicarious joint and several liability exposure for the alleged torts of the DAO.

In Sarcuni, the allegations of partnership within the DAOs were held sufficient based on "their structures and the way they operate." Denying defendants' motion to dismiss, the court held the plaintiffs' allegation that the DAO was a partnership was "plausible" in view of the complaint's allegations that the DAO was an "association of two or more persons" that "operates as a business for profit," in which the tokenholders "carry on as co-owners of the DAO" because they exercise "governance rights in the DAO" and "can share in the DAO's profits." The court rejected the defendants' argument that the tokenholders' governance rights with respect to the DAO were so limited as to preclude the possibility of their constituting a partnership as a matter of law.

Sarcuni's implications for DAOs and their tokenholder became even more far-reaching in light of an additional part of the Sarcuni ruling which held that the DAO and the tokenholder defendants could potentially face negligence liability to the plaintiffs whose accounts allegedly were hacked in the face of assurances that the defendants' platform was secure. While California law generally bars negligence liability for "purely economic losses" in most circumstances, the court held that the plaintiffs' allegations fell into an exception to that rule which applies when the plaintiffs and the defendants have a "special relationship."

Claims of a "special relationship" under California law are analyzed under a six-factor test. The court in Sarcuni held that weighing the factors under that test, the plaintiffs had sufficiently alleged that there was a special relationship under which the DAO had a "duty to exercise reasonable care with respect to [the] management of [its] protocol." The plaintiffs satisfied this test by alleging that:

1. they were the "intended beneficiaries" of their transactions as protocol users,
2. "it was foreseeable that lack of security on the [p]rotocol would cause harm" to individual users, particularly given prior hacks the platform had experienced,
3. the plaintiffs "allege[d] an injury with a high degree of certainty,"
4. there was "a close connection" between the alleged negligent conduct—the DAO's alleged negligent failure to implement security measures known to be "reasonably necessary"—and the alleged injuries,
5. the DAO's conduct qualified as "morally reprehensible" in light of the promises of safety that allegedly were made, and
6. it would "further[] the policy of preventing future harm stemming from negligent oversight of security measures on DeFi protocols" to find that the defendants owed the plaintiffs a duty.

As DAOs proliferate and their activities multiply in the DeFi space, their developers, operators and tokenholders need to be mindful that the intermediary of a decentralized platform does not necessarily render them immune from claims of liability that may be asserted by persons who claimed to be injured by a DAO's activities or from the use of its platform. As these recent court rulings illustrate, when a DAO's activities have not been wrapped into an LLC or some other limited liability structure, the DAO and its members can face significant liability risks from persons claiming financial or other injury relating to the DAO.