664 F.Supp.3d 1100
S.D. Cal.2023Background
- Plaintiffs are nineteen non‑U.S. users who lost about $1.7 million (collectively ~$55M) when a November 5, 2021 phishing attack on a bZx developer exposed private keys and allowed a hacker to drain funds from the bZx Protocol on Polygon and BSC.
- bZx began as entities controlled by founders Kyle Kistner and Tom Bean; in August 2021 control and assets were purportedly transferred to a token‑governed bZx DAO (later succeeded by Ooki DAO).
- Plaintiffs allege the DAO and named defendants (including Kistner, Bean, bZeroX LLC, Leveragebox LLC, Hashed International LLC, and AGE Crypto GP) formed a general partnership among BZRX tokenholders and were negligent in securing the protocol.
- Defendants moved to dismiss on multiple grounds: failure to state a negligence claim, lack of partnership pleading, lack of personal jurisdiction (over Bean), enforceability of browsewrap Terms of Use, class representative adequacy, improper party naming, and lack of standing.
- The court denied most dismissal arguments, finding Plaintiffs adequately pleaded duty and breach, and that the DAO plausibly constituted a general partnership among tokenholders; it dismissed claims against Tom Bean for lack of personal jurisdiction and dismissed claims against bZeroX LLC and Leveragebox LLC for failure to plead they were partners.
- The court denied the motion to strike class allegations without prejudice, rejected enforceability of the browsewrap Terms of Use, and declined to grant the Hashed defendants’ motions to dismiss for process or standing (permitting jurisdictional discovery if needed).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Duty under negligence / special relationship | bZx owed users a duty to secure funds and supervise developers; promises of security made users foreseeably reliant | Defendants said non‑custodial nature and lack of direct transactions negate a duty | Court: duty plausibly alleged under California special‑relationship factors; pleadings survive 12(b)(6) |
| Breach (security failures) | Phishing exposed a developer key that was the Protocol’s only means to change/access funds; prior hacks and promises show inadequate security | Defendants: mere occurrence of a hack is insufficient to plead breach | Court: FAC alleges sufficient specific facts to plausibly show breach |
| Existence of a general partnership (DAO as partnership) | DAO tokenholders controlled governance, could share profits/distributions and supplied assets—constitutes an association carrying on a business for profit | Defendants: governance rights limited; allowing tokenholders unlimited liability is unprecedented; allegations are legal conclusions | Court: DAO plausibly alleged to be a general partnership; Plaintiffs pleaded facts on association, profit potential, governance, and contributions |
| Whether each defendant is a partner (individual pleading) | Plaintiffs allege founders participated in governance and investors participated in decisionmaking, supporting inference they held BZRX tokens | Defendants: FAC fails to allege token‑holding or profit sharing for certain entities (e.g., Leveragebox, bZeroX) | Court: sufficiently pleaded for Kistner, Hashed, AGE; not pleaded for Leveragebox LLC and bZeroX LLC—claims against those entities dismissed |
| Personal jurisdiction over Tom Bean | Plaintiffs tie jurisdiction to Bean’s status as a general partner in a partnership that did business in California | Bean: lacking minimum contacts with California to permit specific jurisdiction | Court: dismissed claims as to Bean for lack of personal jurisdiction with leave to amend |
| Enforceability of Fulcrum Terms of Use (browsewrap) | Defendants: Terms bar Plaintiff claims | Plaintiffs: no actual/constructive notice of browsewrap terms | Court: hyperlink location and lack of notice make Terms unenforceable; motion to dismiss on that basis denied |
| Motion to strike class allegations (adequacy) | Plaintiffs: named representatives are typical and adequate; any BZRX holdings are minimal or nonexistent | Defendants: named plaintiffs may hold BZRX and thus be jointly liable, creating conflict | Court: motion denied without prejudice — no clear irreconcilable conflict shown on the face of the FAC |
| Hashed/AGE: improper party, process, and standing | Plaintiffs allege Hashed and AGE were investors and participated in governance (tokenholders) | Hashed/AGE assert they did not hold BZRX and thus were misnamed; moved under Rule 12(b)(4) and Rule 11 | Court: denied 12(b)(4) and standing dismissal at pleading stage; left token‑holding factual dispute to discovery and allowed limited jurisdictional discovery if needed |
Key Cases Cited
- Ashcroft v. Iqbal, 556 U.S. 662 (pleading must state a plausible claim)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (plausibility standard for complaints)
- Illeto v. Glock Inc., 349 F.3d 1191 (elements of negligence under California law)
- S. Cal. Gas Leak Cases, 7 Cal.5th 391 (economic loss rule and special‑relationship framework)
- J’Aire Corp. v. Gregory, 24 Cal.3d 799 (factors for special relationship and duty)
- Rowland v. Christian, 69 Cal.2d 108 (duty analysis)
- Int’l Shoe Co. v. Washington, 326 U.S. 310 (minimum contacts test for jurisdiction)
- Daimler AG v. Bauman, 571 U.S. 117 (limits on general jurisdiction)
- Nguyen v. Barnes & Noble Inc., 763 F.3d 1171 (browsewrap enforceability and constructive notice)
- Burger King Corp. v. Rudzewicz, 471 U.S. 462 (reasonableness in specific jurisdiction analysis)