Hacked DAO Faces Lawsuit as Users Try To Recoup Stolen Funds

Law firm claims all parties involved in a DAO’s governance are liable for the protocol’s alleged “negligence and illegality”


Source: Shutterstock


key takeaways

  • An estimated $55 million of crypto was stolen after a bZx developer had his wallet’s private keys taken in a November phishing attack
  • The 14 plaintiffs’ combined losses from the hack total $1.6 million

The victims of a hack of DeFi platform bZx are vying for the return of their funds in a rare attempt to hold a DAO liable in court.

The lawsuit, filed in the Southern District of California Monday, names 14 plaintiffs who claim to have lost funds ranging from $800 to $450,000. Together, the complaint indicates, the plaintiffs lost roughly $1.6 million from the November hack, during which an estimated $55 million of crypto was stolen. 

Plaintiffs allege the theft was possible only because the protocol had not yet implemented security measures that its operators knew were reasonably necessary to protect funds.

A spokesperson for bZx did not immediately return a request for comment. 

Law firm Gerstein Harrow LLP, whose attorneys have developed a crypto consumer protection practice, represents the plaintiffs. Its first case, which alleges that a DeFi (decentralized finance) operator called PoolTogether is operating an illegal lottery in New York, also deals with the issue of who can be held liable for the violations of DAOs.

DAOs (decentralized autonomous organizations) are member-owned communities without centralized leadership. The term DAO went mainstream last year when a group of crypto natives — dubbed ConstitutionDAO — raised $49 million in an unsuccessful bid to buy a copy of the US Constitution. Hedge fund billionaire Ken Griffin won the auction. 

“Those who form DAOs apparently believe that they can use the word ‘decentralized’ to evade corporate and individual responsibility,” Gerstein Harrow LLP Partner Jason Harrow said in a statement. “The opposite is true: without the protection of a corporation or limited liability company, everyone involved in a DAO’s governance is liable for the protocol’s negligence and illegality.”

Defendants include bZx protocol co-founders Kyle Kistner and Tom Bean, bZx investors Hashed International and AGE Crypto, and bZeroX, which created the protocol and controlled it until August 2021, according to the complaint. It also names bZx DAO, Ookie DAO and LeverageBox, a company that operated the Fulcrum trading platform, as defendants.  

The complaint argues that because the bZx protocol purports to be a DAO that lacks any legal formalities or recognition, it can be considered a “general partnership.”

“That means each of the partners is jointly and severally liable to the plaintiffs and must make good on the full amount of its debts,” the document states.

Compensation plan ‘inadequate,’ plaintiffs argue

A bZx developer had his personal wallet’s private keys taken in the phishing attack, which granted the hacker access to the private keys to the Binance Smart Chain and Polygon deployment of bZx protocol, according to a November blog post.

The DeFi protocol said at the time the attack was likely executed by Lazarus Group, which is known to be a state-sponsored hacking organization with links to North Korea. The hacker converted a large amount of stolen assets into ether and transmitted the funds through Tornado Cash, according to bZx.

In addition to stating on its website in December that it was preparing to launch the bZx deployments on Binance Smart Chain and Polygon with enhanced security measures, the bZx DAO shared details of its compensation plan for victims.

​​The bZx DAO committed to fully compensating those who lost BZRX in the attack with that asset, amounting to about $20 million of BZRX. It agreed to pay back victims who lost money via other tokens over time by buying back debt tokens each month using 30% of protocol revenue and fees.

But the complaint calls the plan “woefully inadequate,” adding “at the current buyback rate, full repayment will take thousands of years.”

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Unlocked by Template.png


With the spot ETH ETF approval, the institutions are coming. stETH - given its dominance in marketshare, existing liquid market structures, and highly desirable properties - is poised for institutions.


Launching cryptocurrencies the old fashioned way may soon make a return


Kraken and CertiK brought their beef to social media after Kraken said researchers exploited $3 million through a bug


NVIDIA’s historic run is only deepening the divide between mega-cap tech stocks and the rest of the market.


EIP-7702 was quickly adopted for the next Ethereum upgrade, but developers haven’t quite locked it down