Hacked DAO Faces Lawsuit as Users Try to Recoup Stolen Funds

The victims of a hack of DeFi platform bZx are vying for the return of their funds in a rare attempt to hold a DAO liable in court.

The lawsuit, filed in the Southern District of California Monday, names 14 plaintiffs who claim to have lost funds ranging from $800 to $450,000. Together, the complaint indicates, the plaintiffs lost roughly $1.6 million from the November hack, during which an estimated $55 million of crypto was stolen. 

Plaintiffs allege the theft was possible only because the protocol had not yet implemented security measures that its operators knew were reasonably necessary to protect funds.

A spokesperson for bZx did not immediately return a request for comment. 

Law firm Gerstein Harrow LLP, whose attorneys have developed a crypto consumer protection practice, represents the plaintiffs. Its first case, which alleges that a DeFi (decentralized finance) operator called PoolTogether is operating an illegal lottery in New York, also deals with the issue of who can be held liable for the violations of DAOs.

DAOs (decentralized autonomous organizations) are member-owned communities without centralized leadership. The term DAO went mainstream last year when a group of crypto natives — dubbed ConstitutionDAO — raised $49 million in an unsuccessful bid to buy a copy of the US Constitution. Hedge fund billionaire Ken Griffin won the auction. 

“Those who form DAOs apparently believe that they can use the word ‘decentralized’ to evade corporate and individual responsibility,” Gerstein Harrow LLP Partner Jason Harrow said in a statement. “The opposite is true: without the protection of a corporation or limited liability company, everyone involved in a DAO’s governance is liable for the protocol’s negligence and illegality.”

Defendants include bZx protocol co-founders Kyle Kistner and Tom Bean, bZx investors Hashed International and AGE Crypto, and bZeroX, which created the protocol and controlled it until August 2021, according to the complaint. It also names bZx DAO, Ookie DAO and LeverageBox, a company that operated the Fulcrum trading platform, as defendants.  

The complaint argues that because the bZx protocol purports to be a DAO that lacks any legal formalities or recognition, it can be considered a “general partnership.”

“That means each of the partners is jointly and severally liable to the plaintiffs and must make good on the full amount of its debts,” the document states.

Compensation plan ‘inadequate,’ plaintiffs argue

A bZx developer had his personal wallet’s private keys taken in the phishing attack, which granted the hacker access to the private keys to the Binance Smart Chain and Polygon deployment of bZx protocol, according to a November blog post.

The DeFi protocol said at the time the attack was likely executed by Lazarus Group, which is known to be a state-sponsored hacking organization with links to North Korea. The hacker converted a large amount of stolen assets into ether and transmitted the funds through Tornado Cash, according to bZx.

In addition to stating on its website in December that it was preparing to launch the bZx deployments on Binance Smart Chain and Polygon with enhanced security measures, the bZx DAO shared details of its compensation plan for victims.

​​The bZx DAO committed to fully compensating those who lost BZRX in the attack with that asset, amounting to about $20 million of BZRX. It agreed to pay back victims who lost money via other tokens over time by buying back debt tokens each month using 30% of protocol revenue and fees.

But the complaint calls the plan “woefully inadequate,” adding “at the current buyback rate, full repayment will take thousands of years.”

Get the day’s top crypto news and insights delivered to your inbox every evening. Subscribe to Blockworks’ free newsletter now.