Part 5 (DAOs): Game on – The virtually real risks for insurers playing in Web 3.0 and the Metaverse

Part 5 (DAOs): Game on – The virtually real risks for insurers playing in Web 3.0 and the Metaverse

In this multi-part series, The InsurTech Lawyer shares some thoughts on the opportunities for insurers in the Metaverse. Originally presented at the Association Internationale de Driot des Assurances (AIDA) conference in Zurich, 6-7 October 2022.

In Part 1 (Introduction), we introduced the idea of insurers playing in the Metaverse. In Part 2, we looked at Legal Proceedings, in Part 3 we considered Securities Class Actions and Part 4 we took a look at potential Insurance Coverage under traditional covers.

Today we take a look at the world of DAOs.

Decentralised Autonomous Organisations

While cryptocurrency risks are a significant driver of liability in Web 3.0, the increasing popularity of DAOs presents some new and unusual risks. In the preceding sections, we explored how financial lines insurers might be able to cover certain crypto related exposures and the types of claims that may arise. However, DAOs present an opportunity for financial lines insurers to develop new product types altogether.

A DAO is an ‘organisation’ that uses smart contracts to enable a group of members (who hold the DAO’s native token) to vote on decisions relating to its operation, most commonly in relation to expenditure of the DAO’s treasury.[1]  In this way, the structure does not require any formal management hierarchy or centralised control.[2]

DAOs are commonly used in the DeFi space. They are also used as governance structures in the Metaverse. For example, The Sandbox Metaverse which runs on Etheruem uses ‘SAND’ governance tokens to facilitate various transactions, and staking ‘SAND’ enables the user to participate in the governance of the Metaverse through a DAO structure. For example, SAND holders might be able to vote on grants to game creators, or feature prioritisation in the Sandbox Metaverse.[3] Similarly, in the Decentraland Metaverse, the Decentraland DAO enables MANA, NAMES and LAND holders to vote on grants, changes to the lists of banned names, points of interests and operation of LAND and Estate smart contracts.[4]

In most jurisdictions, DAOs are not recognised as a corporate entity, are not able to enter into contracts or hold assets, and not able to sue or be sued. DAO structures are sometimes used in tandem with corporate legal structure, for example the use of a Cayman Islands based foundation company is an attractive option.[5] In order to create real world contractual regulations, DAOs may need to delegate their authority to an individual, group of individuals or a corporate entity. There have been some very high profile DAO collapses/hacks,[6] but also some success stories.[7]

The uncertain legal nature of DAOs creates liability risks for those companies involved in its development and even for individuals who may be members of the DAO. In the absence of a corporate structure, there is no protection in the form of limited liability. While some jurisdictions such as Wyoming have modified the law to enable DAOs to have legal personality, in the absence of such regulation some believe that DAOs may be considered general partnerships, which have a legal personality in that each of the members are partners.  This would expose each of the members of the DAOs to personal liability, a very undesirable proposition when compared to members of a corporate entity whose liability is ordinarily limited.

However, even if a DAO does not have legal personality, there is potential recourse to other entities involved in the creation of the protocol. The current class action involving the bZx cryptocurrency protocol illustrates the point.[8]

bZx class action

The bZx protocol is a DeFi protocol governed as a DAO, allowing users to lend and earn interest on tokens. The protocol was initially developed by two limited liability companies (LLCs) founded by two individuals, and the protocol ultimately controlled by those who held the BZRX token. Token holders have the ability to control the assets of bZx.

The plaintiffs alleged that:

  • bZx repeatedly touted its security features, stating that ‘users maintain control of their own keys and assets’;
  • in reality, a single password was sufficient to access all funds on two of the three blockchains on which Fulcrum (one of the bZx products) operated;
  • various representations on the bZx website were to the effect that funds were safe and secure, including ‘world class security’ and that users ‘never’ have to worry about ‘exchanges getting hacked or stealing your funds’;
  • on 5 November 2021, the bZx protocol was hacked because a developer who was working for the bZx DAO fell for a phishing attempt. The developer’s implementation administrative private keys for two of the three Fulcrum blockchains was stolen and funds were drained; and
  • the bZx DAO compensation plan would take ‘thousands of years’ to compensate the plaintiffs.[9]

The claim is based in negligence, alleging that the bZx protocol and its ‘partners’ owed the plaintiffs a duty to maintain the security of the funds deposited on the protocol, including having procedures so that a phishing attack on a single developer would not result in a multimillion dollar theft. It also seeks to show that the bZx protocol and the plaintiffs had a duty to supervise developers, and that the unnamed developer had a duty to secure the passwords from malicious attacks and that the bZx DAO was vicariously liable.

It will be interesting to see whether the court agrees that that these duties were in fact owed to the plaintiffs by the bZx DAO, its ‘partners’, or the founders.  

Similar to the Coinbase consumer litigation described above, the bZx class action alleges negligence in management of crypto. While ongoing, the nature of the proceedings highlights some pertinent points:

  • the plaintiffs seek compensation from the DAO alleging it is a general partnership. While some jurisdictions enable DAOs to be structured as a separate legal entity, most do not. The general partnership classification means that DAO members may have unlimited liability and do not have the level of protection afforded to corporate shareholders and officeholders;
  • if it is held the DAO is a general partnership, it may mean the members/token holders are jointly and severally liable for the plaintiffs’ losses;
  • the proceeding is also against the bZx protocol founders personally, highlighting their potential liability for the losses incurred;
  • while many crypto related operations are decentralised, few are truly decentralised to the extent that there are no corporate entities involved in their development. Accordingly, it is possible to file legal proceedings against and seek recourse from real world entities. Well known Metaverse lands, such as Decentraland, still have a legal entity that holds the IP and conducts real world operations.[10]

    In the bZx class action, the proceedings are brought against the bZx members (alleging it was a partnership), the LLC companies involved in its development, and its co-founders who controlled the LLCs, Kyle Kistner (co-founder of the bZx protocol) and Tom Bean (co-founder of the bZx protocol);
  • management of private keys remains a very serious issue. Unlike transactions that take place on traditional banking infrastructure, it is not possible to reverse transactions that have taken place on the blockchain. It is also more difficult to identify the perpetrator; and
  • it will be interesting to see how the court deals with the fact that some of the members who have suffered losses, and therefore within the class of plaintiff, would also be ‘partners’ as they are members of the bZx DAO and are therefore within the class of defendant within the proceeding.

Legal recognition of limited liability DAOs as a separate legal entity will also enable them to enter into contracts, hold assets and sue and be sued. Furthermore, liability of members/tokenholders can be limited. Until then, the bZx class action is a reminder that anyone involved in the DAO could be a target if something goes wrong, for example the following:

  • tokenholders/members who control the assets and vote on proposals;
  • the founders who set up the DAO and coded it, especially if there was an error made in the code so that the DAO did not function as warranted;
  • corporate entities that may be involved in the set up or operation of the DAO;
  • representatives of the DAOs. Until DAOs have separate legal personality, they may need to delegate authority to a natural person to carry out real world functions. The person might be an agent of the DAO. If a DAO does have legal personality, such a person could be considered an ‘officer’ of the DAO;
  • auditors who might be appointed to review the code of the DAO; and
  • oracles relied on by the DAO if they provide incorrect data.

Financial lines insurers could consider tailoring insurance policies to provide cover for the different types of liability and insureds who might have civil liability exposure by being involved in DAOs, for example under tort law. As the Metaverse expands and more worlds are governed by DAOs, insurance may play an increasingly important role. While DAOs that are not recognised as legal entities are not able to obtain insurance in their own right, individual participants are able to do so.

While beyond the scope of this paper, it should be noted that a number of DeFi protocols are providing alternative risk transfer options similar to insurance in respect of DAO and smart contract liabilities.[11] While DeFi protocols provide a native solution for decentralised risks, they do not have the size, scale and reputation of traditional CeFi insurance providers. Accordingly, while DeFi may pose a competitive threat, financial lines insurers may still retain some competitive advantage in this regard.

Is the future beyond DAObt?

While a number of DAOs have had a relatively short life, there have been a number of successes and it is reasonably likely DAOs are here to stay. However, the form that DAOs may take in the future is in the hands of lawmakers. It remains to be seen whether DAOs will be the evolution of the corporate structure, the next ‘big thing’ since limited liability.[12]

The issue for lawmakers now is whether and how to design a regulatory regime that will give DAOs legal personality, and balance protection of the community with the desire to give a degree of protection to DAO participants as well. At the time of writing, only a limited number of jurisdictions enable a DAO to register as a legal entity. These are the Cayman Islands, Vermont, Wyoming and Tennessee.[13] Australia’s Senate Select Committee on Australia as a Technology and Financial Centre recommended in October 2021 that Australia recognise a DAO company structure.[14] However, further progress has not yet been made following the change in government.

From insurers’ perspective, opportunities may arise to cover individuals’ exposure to risks arising out of being involved in a DAO. These risks may differ depending on whether the DAO is granted limited liability similar to a corporation. Given DAOs are in their nascent phase, the application of the law in these areas is still uncertain but some examples include:

  • fiduciary duties towards other participants that might be implied by the protocol;
  • duties of care under tort law owed by DAO members, for example where a person does not receive a promised payment;
  • criminal liability associated with, if cryptocurrency is considered property, theft or embezzlement; and
  • abuse of market share or dominance and collusion that may be unlawful under competition/anti-trust law, for example, where DAO members performing transaction validation collude to raise transaction fees.[15]

An area of controversy in designing a regime for legal recognition of DAOs into Australian company law is whether liability should attach to a certain person or entity.  Prior to the election, media reports stated that the Treasury was consulting with stakeholders in relation to the new regulatory regime, and that it may require the DAO to nominate a ‘responsible person’.[16] The responsible person would enable regulators and courts to hold someone responsible if the DAO failed.

While it is easy to see the community protection argument for such a proposal, it partially defeats the purpose of a DAO which is to enable decentralised participants to make decisions. It is also challenging to see how liability might be attributed to this person, in circumstances where they might not have any oversight or control over the decentralised participants, or even know who they are. Those setting up DAOs may find such restrictions unfavourable when other jurisdictions do not have similar requirements.

Tim Chan is an insurance & insurtech lawyer at global law firm Norton Rose Fulbright and Founder of The InsurTech Lawyer blog. He regularly advises insurers and startups on emerging legal issues affecting the industry. Follow Tim on Twitter: @timinsydney


[1] Carlos Santana et al, ‘Blockchain and the emergence of Decentralized Autonomous Organizations (DAOs): An integrative model and research agenda’ Technological Forecasting and Social Change Vol 182 (September 2022).

[2] Ibid.

[3] The Sandbox, ‘More About SAND’ (Web Page) <https://sandboxgame.gitbook.io/the-sandbox/sand/general-frequently-asked-sand-questions>.

[4] Decentraland, ‘What is the DAO?’ (Web Page) <https://docs.decentraland.org/player/general/dao/overview/what-is-the-dao/>.

[5] See commentary from the Carey Olsen law firm, ‘Cayman Islands Foundation Companies for DAOs, Defi and NFTs’ (Web Page, 6 April 2022) <https://www.careyolsen.com/briefings/cayman-islands-foundation-companies-daos-defi-and-nfts>.

[6] David Siegel, ‘The DAO attack: understanding what happened’ (Web Page, 25 June 2016) < https://www.coindesk.com/learn/2016/06/25/understanding-the-dao-attack/>.

[7] For example, see Decentraland which is a virtual world governed by a DAO and anyone who owns the platform’s token (MANA) can participate in the process <https://decentraland.org/>.

[8] Sarcuni et al. v. bZx DAO et al. – 3:22-cv-00618 (S.D.N.Y. 1 December 2020).

[9] Sarcuni et al. v. bZx DAO et al. – 3:22-cv-00618 (S.D.N.Y. 1 December 2020) (Complaint).

[10] For example, see ‘Terms of Use’ (Web Page) <https://decentraland.org/terms/>.

[11] For example, see Nexus Mutual <https://nexusmutual.io/> and InsurAce <https://app.insurace.io/>.

[12] Brijesh Jeevarathnam, ‘DAOs; The Biggest Corporate Innovation Since Limited Liability?’ <https://www.adamsstreetpartners.com/insights/daos/>.

[13] Scott Sugino et al, ‘DAOs: Looking for Limited Liability & Legal Personality’ (Web Page, 11 July 2022) < https://www.omm.com/resources/alerts-and-publications/alerts/daos-looking-for-limited-liability-and-legal-personality/>.

[14] Australian Senate, Select Committee on Australia as a Technology and Financial Centre Final Report (October 2021) <https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Financial_Technology_and_Regulatory_Technology/AusTechFinCentre/Final_report/section?id=committees%2freportsen%2f024747%2f78047>.

[15] Peder Østbyem, ‘Exploring DAO Members’ Individual Liability’ < https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4045799>.

[16] James Eyers, ‘Decentralised autonomous organisations: where does the buck stop?’ (Web Page, 24 March 2022) <https://www.afr.com/companies/financial-services/dao-consultation-will-involve-thorny-questions-on-responsibility-20220324-p5a7lp>.