In the arcane world of decentralised finance, the bZx protocol is a useful platform. According to its creators, bZx allows software developers to build tools “that empower lenders, borrowers, and traders with the most flexible decentralised finance protocol on Ethereum”. Indeed, the protocol is one of many decentralised platforms traders can use to enable the kinds of complex and exotic transactions on crypto previously reserved for the most elite financial institutions on Wall Street.
Unlike the big banks, however, the bZx protocol operates as a democracy. New arrivals to the platform can purchase a governance token, giving them the right to vote on key decisions about how the protocol is run. The process of voting and making proposals, meanwhile, is automated through the use of blockchain-based smart contracts.
This type of structure, known as a distributed autonomous organisation (DAO), is becoming increasingly popular throughout crypto, to the point where many consider it a viable model for corporate governance.
This makes bZx’s fate all the more alarming. In November 2021, one of the protocol’s developers succumbed to an email phishing scam. That gave the attackers access to key passphrases that unlocked private wallets on the platform, allowing them to drain the protocol of $55m.
Investors were incensed. Having been assured by the protocol’s developers that their funds were protected, instead, they claimed to have witnessed a heist enabled by basic failures in cybersecurity. Deeming bZx protocol’s plan for restitution as entirely inadequate – ‘full repayment,’ the investors said, ‘will take thousands of years’ – a group of them decided to file a class action suit to seek compensation in the California court system.
The attack was hardly unique. The last year has seen several high-profile heists targeting DeFi DAOs. There was the attack against Badger DAO in December, which saw hackers scam members into sanctioning some $120m in criminal transactions after burrowing into the site’s web interface. Then came a breach in March at pay-to-earn game Axie Infinity, where an attacker seized control of a blockchain validator run by its DAO to help approve a malicious funds transfer of $625m. Another hack in April, meanwhile, saw Deus Finance DAO lose $13.4m in ETH, the internal currency of the Ethereum blockchain, in a flash loan attack – the second such breach it had suffered that month.
Crypto is no stranger to scams, breaches and other forms of financial chicanery. What makes these assaults unique, however, is the existential threat they pose to a form of corporate governance with the potential to enter mainstream public life.
DAOs, after all, aren’t just for DeFi. Across the crypto ecosystem, these collectives are used to do everything from fundraising to managing intellectual property and carbon credits, and even providing legal expertise. While all DAOs are unique, however, one challenge common to all of them is the extreme difficulty in securing the code underlying their smart contract systems before and after the collective goes online.
The many examples of hackers taking advantage of this weakness is enough to chill the creation of new DAOs. So, too, are the efforts by individuals to hold these collectives to account for lax attitudes toward cybersecurity.
Few jurisdictions, after all, see DAOs as legal entities in their own right, instead recognising them as general partnerships – meaning that all of its members are severally liable for funds stolen and misplaced. As such, the class action suit against the bZx protocol is being viewed with bated breath by the DAO community – the verdict in which is likely to set a precedent that will permanently set the limits of decentralisation in the model.
DAOs versus cybercrime
Few people could be said to know more about DAOs than Eyal Eithcowich. The founder of DeepDAO, an analysis platform providing data on almost every aspect it is possible to gather around these digital collectives, Eithcowich marvels at the progress that the sector has made in recent years. “There’s an amazing experimentation going on in DAOs, right now,” he says, “with thousands of active DAOs and millions of people participating in governance.”
Nevertheless, says Eithcowich, it is not a sector without its vulnerabilities. The first breach happened with the titular DAO in 2016, when the Ethereum blockchain’s experiment with collective fundraising was drained of $60m worth of ETH after a team of hackers exploited a glitch in the framework’s code base. That hack, which was mitigated by a hard fork of the blockchain later that year, chilled the creation of new DAOs for the rest of the decade. As the example of the bZx protocol hack shows, however, breaches are still more commonplace than enthusiasts like Eithcowich would like.
“We notice a couple of typical scenarios,” explains Noam Hof, DeepDAO’s head of research. Chief among them are flash loan attacks, wherein hackers obtain an unsecured loan from a third party to buy vast sums of a DAO token and acquire enough to obtain a majority voting share. Once this has taken place – usually within minutes – the attacker then motions to drain some or all of the DAO’s assets into wallets of their choosing. This happened to the Beanstalk Protocol in April, which saw hackers pocket $76m worth of assets.
Other attacks concentrate on finding vulnerabilities in web interfaces or the human frailty of DAO developers. In October, users of the Compound DeFi protocol discovered a critical flaw in its system. The governance rules of its DAO, however, mandated that members would vote on whether to patch the system within the next five days, with details of the update made public in an open source report. “They were lucky for four days,” says Dmitry Mishunin, CEO of security firm HashEx. “And on the fifth day, some guys checked this update, found vulnerabilities, and hacked them for $147m.”
The Compound breach illustrates the limits of the DAO structure itself. While asking members to vote on the update was a democratic act, the resulting delay put the entire collective at risk. DAOs are also vulnerable to subversion by the mere fact that so many of its members remain anonymous. Such was the case with the unmasking of a co-founder of the Wonderland DeFi protocol as none other than Omar Dahani, a convicted fraudster implicated in the collapse of the QuadrigaCX crypto exchange.
The absence of legally mandated know-your-customer protocols for DAO members is all the more dangerous given that, usually, only a minority of them are involved in governing the collective in the first place. “In the real world, a really small amount of community members are checking the proposals,” says Mishunin. This means there is little stopping larger stakeholders from embezzling or misusing internal funds.
More fundamentally, adds Mishunin, there’s a basic attitudinal problem in some DAO creators he’s seen about their corporate responsibilities. “I think they don’t understand that this money is real money,” he says.
Running a start-up entails constant contact with accountants, investors and users, as well as regulators and the tax authorities. All of this nurtures the idea that the money in the firm’s account is not just liquid, but tangible. By contrast, many DAO creators don’t have that feeling, says Mishunin. Rather, he says, “it’s like a toy for them.”
DAO legal frameworks
It is important not to overstate the dangers that software bugs pose to the wider DAO ecosystem, explains Eithcowich. “This stuff will happen,” he says, minor irritations in a vibrant and growing ecosystem of democratic digital collectives. “If all we find is a couple of little code bugs here and there, that’s not a big deal.”
It is, however, playing a major role in the thinking of judges and legislators as they find a place for DAOs in mainstream corporate life. Indeed, the class action suit against the bZx protocol illustrates just how precarious the legal position of these collectives is in most jurisdictions. Only three nations – the Marshall Islands, Malta and Estonia – recognise DAOs as distinct legal entities. These are followed by a few state and provincial jurisdictions, including the Swiss canton of Zug, the British territory of Gibraltar, and several US states.
The latter include Wyoming, which passed legislation allowing DAOs to incorporate as a type of Limited Liability Company (LLC) in April 2021 and has since been used as a template by Tennessee, Ohio and New Jersey. The law contains provisions that the more libertarian-minded crypto adherent may frown at, explains Sarah Paul of law firm Eversheds Sutherland. For example, “if you’re incorporating a DAO as an LLC in Wyoming, you’ve got to have a Wyoming Registered Agent, and that agent has to meet various statutory requirements,” she says. “It may be that some DAOs won’t like that.”
In other states, including New York and – crucially for plaintiffs in the bZx protocol case – California, DAOs do not have anything approaching unique status under the law. As such, says Paul, “the concern – which I think has been really brought to a head by this class action that’s been filed – is that you just go to the default rule, which would be that a DAO is a general partnership, meaning that each of the DAO’s members can be held personally liable for the DAO’s actions.”
The case against bZx will mark the first time that this legal principle has been tested in court. The verdict is far from certain, with the defendants recently filing a motion to dismiss the case on the grounds that DAOs are not general partnerships, a finding echoed by the SEC as early as 2017. However, “if the plaintiff’s win, then what you’re going to see is every DAO registering somewhere,” says Paul – likely in jurisdictions such as Wyoming.
Doing otherwise, she adds, is “just too dangerous from a liability perspective”.
The future of DAOs
There are signs, though, that DAO creators are wising up to the security and liability risks that accompany running their collectives.
The recent upsurge in breaches in the DAO ecosystem “has to do with the fact that it is a mature and growing field,” says Hof. Even so, he adds, “it’s not in its infant stage anymore,” with a plethora of new tools and organisations arriving in recent months that promise to shore up security vulnerabilities.
“Relevant DAO tools are now becoming more and more of a norm, like auditing services for contracts,” says Hof. Bug bounties are also a growth area, adds Mishunin. “Lots of really good people… are looking for those vulnerabilities, and they can find more than the auditors themselves,” he says.
More importantly from a liability perspective, more jurisdictions are passing legislation recognising DAOs as organisations in their own right. A new US Senate bill promises to do as much while encouraging their incorporation across individual states. The picture is improving at the state-level, too, with the Wyoming template being followed by New Jersey, Ohio and Tennessee.
That precedent may not extend to more left-leaning states, explains Paul. “I feel like California is marching to the beat of its own drum,” she says, blazing its own trail with laws on carbon emissions, guns, drugs and labour relations. As far as DAOs are concerned, says Paul, “I wouldn’t be surprised to see…more consumer-friendly protections” compared to the Wyoming legislation.
Such laws would not just impose new rules on the liability and conduct of DAOs, but also checks on the democratic ideal around which they were originally conceived. The debut of the titular DAO in 2016 promised a collective structure of decision-making unfettered to mainstream institutions like banks and governments. For some, however, the intervention of the state into the DAO ecosystem is not unwelcome.
“I think regulations are good,” says Eithcowich, who considers himself much more of a socialist than many of his libertarian-leaning colleagues in crypto. “I think some DAOs, for some use cases, need regulation, like venture capital DAOs, or the large financial DAOs.”
Lawyer and DAO advocate José Nuno Sousa Pinto agrees. However, as more jurisdictions pass legislation bringing DAOs into the legal mainstream, he worries that lawmakers will treat these collectives as just another spin on the common-variety corporate structure. If that happens, “we don’t need DAOs,” Sousa Pinto says. “We already have companies, which have existed for hundreds of years.”
Whatever happens, the days of DAOs remaining a step apart from real-world questions of liability are surely numbered. As other aspects of crypto fall under the eyes of regulators around the world, the prospect of legal frameworks for these collectives has doubtless prompted an existential crisis among those early enthusiasts for the model, argues Paul.
“The whole draw of DAOs and crypto at the outset was, ‘Let’s have something that is apart from government,’” she says. “And if it turns out that people can’t really do that, what’s the reason for crypto, and DAOs, and web3? What’s the draw if, in fact, you’re still going to be regulated?”
More on the future of cybercrime:
The zero day vulnerability trade remains lucrative but risky
How AI will extend the scale and sophistication of cybercrime