Doubts about DAOs: Novel CFTC Enforcement Case Targets Decentralized Finance Community | Insights

I. DAOs and DeFi

A DAO is a blockchain-based organization controlled by its members that acts through a set of rules (algorithms) deployed via blockchain-based smart contracts. This rule-based behavior lends DAOs their “autonomous” nature. The members of a DAO use DAO governance tokens to control (by voting) the DAO’s activities as defined by the rules embedded in the DAO’s smart contracts — known as “protocols.” DAOs are called “decentralized” because DAO governance tokens can be held by any number of people and, in theory, lack a centralized board or set of officers making decisions for the DAO.

DAOs are a common component in many DeFi projects, which experienced a surge of interest from institutional investors in 2021 and the first half of 2022. Some DAO proponents have claimed DAOs to be beyond the reach of regulators due to the lack legal identity,¹ the lack of centralized control, the lack of a jurisdictional locus, or the practical difficulty in holding a “dispersed, unidentified group of individuals”² accountable for violating laws or regulations.

II. CFTC v. Ooki DAO: Regulatory Risk

CFTC v. Ooki DAO directly challenges DAO proponents’ claims to legal immunity. The CFTC describes the Ooki DAO as an “unincorporated association comprised of holders of OokiDAO Tokens … who vote those tokens to govern the [Ooki Protocol].”³ The CFTC alleges that each member of the Ooki DAO association is liable “as a principal for each act, omission, or failure of the members, officers, employees, or agents acting for the Ooki DAO.”⁴ The CFTC brought its claims against the Ooki DAO — but, in the CFTC’s view, liability for those unlawful acts extends to every Ooki DAO token holder who participated in the DAO’s operations by voting their tokens.

The same day the CFTC filed Ooki DAO, the CFTC also published an order accepting the settlement with two of the Ooki DAO token holders (the DAO Members) regarding the conduct alleged in Ooki DAO. The DAO Members, in addition to being holders of the Ooki DAO tokens, created and deployed the blockchain-based software protocol through which the Ooki DAO conducted its commodities trading activities.⁵

The Ooki DAO Members originally operated their project through a traditional legal entity, bZeroX, LLC, and offered their trading protocol under the brand bZx. In August 2021, bZeroX transferred control of the bZx protocol to the newly formed bZx DAO. Then, in December 2021, the bZx DAO rebranded itself as the Ooki DAO — operating the same bZx trading protocol, now marketed as the Ooki protocol.

The CFTC characterized this transfer of authority over the bZx/Ooki trading protocol — from bZeroX to the Ooki DAO — as an attempt by the DAO Members to immunize the trading activities conducted through the protocol from regulatory enforcement. Indeed, one of the DAO Members stated as much regarding the transition to the DAO structure:

We’re going to be really preparing for the new regulatory environment by ensuring bZx is future-proof. So many people across the industry right now are getting legal notices and lawmakers are trying to decide whether they want DeFi companies to register as virtual asset service providers or not — and really what we’re going to do is take all the steps possible to make sure that when regulators ask us to comply, that we have nothing we can really do because we’ve given it all to the community.⁶

In the CFTC’s view, this attempt to transfer accountability from a traditional legal entity to “the community” did not provide a shield from regulation; it merely extended liability to the entire association for the alleged unlawful acts of the DAO.⁷

III. Sarcuni v. bZx DAO: Private Litigation Risk

While this is the first example of regulatory enforcement against an unincorporated association of DAO token holders, it is not completely novel. Private plaintiffs used a similar theory of liability against the Ooki DAO and its predecessor entity, the bZx DAO, in Sarcuni v. bZx DAO.⁸ The Sarcuni plaintiffs brought a negligence class action arising from a cybersecurity breach against the bZx and Ooki DAOs — and other entities — alleging the members of the DAOs formed unincorporated associations for profit. The plaintiffs further alleged that under California law an unincorporated association for profit is treated as a general partnership — subjecting each partner to unlimited personal liability for the debts of the entire partnership.

Sarcuni is still in an early stage — Defendants’ motions to dismiss are pending — but, interestingly, the plaintiffs cited to CFTC v. Ooki DAO in opposing dismissal and in support of their unincorporated association theory of liability.

IV. Not All DAOs Are Created Equal

The SEC discussed some of these DAO liability issues in its 2017 investigative report of an early DAO — simply named “The DAO” — which suffered a security breach resulting in the theft of approximately $50 million worth of ether held by The DAO. The DAO was intended as an investment vehicle: Token holders could vote for investment proposals that would be funded upon majority vote. But the SEC scrutinized The DAO’s operations, determining that in practice much of The DAO’s activities were centralized via a board of curators selected by the company that created The DAO. The SEC also found that the distributed nature of the DAO token holders prevented them from effectively exercising any real control over the curated proposals presented to them by the hand-picked curators — curators the token holders had no say in selecting.

The SEC concluded that The DAO’s dispersed token holders and curated proposals made The DAO more like a corporation than a general partnership: “These facts diminished the ability of DAO Token holders to exercise meaningful control over the enterprise through the voting process, rendering the voting rights of DAO Token holders akin to those of a corporate shareholder.”⁹ The SEC’s conclusion in The DAO Report demonstrates that depending on the facts, not all DAO token holders may incur personal liability for the acts of a DAO.

V. Evaluating and Mitigating DAO Risks

The Ooki DAO and Sarcuni cases demonstrate the risks to token holders of regulatory enforcement and private litigation, respectively. Investors in DAOs and DAO-based DeFi projects should take note of these risks in light of the shifting legal landscape. Selecting an appropriate strategy for managing the unique risks posed by DAOs begins with evaluating these risks — a fact-intensive inquiry requiring examination of a DAO’s structure, protocols, token distribution, and physical locations of organizers, token holders, and validating nodes of the blockchain hosting a DAO’s smart contracts.

¹ Defendants in a private action related to the Ooki DAO argued that DAO token holders lacked any intent to form an association for profit and thus the organization had no legal personhood — and could not be sued. Motion to Dismiss, Sarcuni v. bZx DAO, No. 22-cv-00618, at *18–23 (Cal. S.D. July 18, 2022), ECF No. 27 [hereinafter Sarcuni].
² SEC Chairman Gary Gensler took issue with the “DAOs cannot be regulated” theory in a September 8, 2022, speech: “I have a question for you lawyers in this audience. Do you represent any clients regarding their token projects? How exactly were you hired? Did you enter into an engagement letter? I’m going to guess that you had a client. I’m going to guess that you did not take on the work on behalf of a dispersed, unidentified group of individuals in an ‘ecosystem.’ The public deserves the same protections from your clients that they get with other issuers of securities. Other issuers in our capital markets also deserve to compete on a fair playing field.”
³ Complaint, CFTC v. Ooki DAO, No. 22-cv-05416, ¶ 2 (Cal. N.D. Sept. 22, 2022).
⁴ Id. ¶¶ 60, 67, 72.
⁵ Enforcement against DeFi software developers is not new — in 2018, the Securities and Exchange Commission (SEC) brought an enforcement action against the founder of EtherDelta for operating an unregistered national securities exchange. Despite the exchange’s being “decentralized,” the SEC determined the founder to be responsible for EtherDelta’s violations because he exercised complete and sole control over the operations of the exchange.
⁶ In re bZeroX, LLC, CFTC No. 22-31, at *5 (Sept. 22, 2022).
⁷ Commissioner Summer K. Mersinger dissented from the CFTC’s assertion of CEA liability against all of a DAO’s voting token holders. Commissioner Mersinger stated that this novel application of state partnership law to the CEA was inappropriate and amounted to an arbitrary picking of “winners and losers”; instead, she suggested that existing aiding and abetting principles should be applied when determining the extent of individual liability for an association’s actions.
⁸ Complaint, Sarcuni (Cal. S.D. May 2, 2022).
⁹ Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO, SEC, at 15 (July 25, 2017) [hereinafter The DAO Report]. Ultimately, the SEC declined to pursue an enforcement action against The DAO, although The DAO Report became a blueprint for early digital assets securities analysis.