DAO Liability: Are Members Personally Exposed? Lessons from the CFTC's Ooki DAO Enforcement
The CFTC's 2023 judgment against Ooki DAO established that decentralized structures don't prevent regulatory enforcement—and three courts have since confirmed that governance token holders face unlimited personal liability as general partners. Here's what that means for your protocol.
The Ooki DAO Case: What the CFTC Actually Did
In September 2022, the Commodity Futures Trading Commission filed a civil enforcement action against Ooki DAO in the Northern District of California — CFTC v. Ooki DAO — charging three violations of the Commodity Exchange Act: conducting unlawful off-exchange leveraged retail commodity transactions, operating as an unregistered futures commission merchant (FCM), and failing to implement required KYC and AML procedures. On the same day, the CFTC settled parallel charges against bZeroX, LLC and its two founders for $250,000, making clear that the agency viewed the DAO as the successor entity rather than a way to escape responsibility.
Serving a decentralized autonomous organization presented an obvious procedural problem: there are no officers, no registered agent, no address. The CFTC's solution was to post formal notice directly to Ooki DAO's help-chat bot and its governance forum — channels the CFTC argued were the functional equivalent of notice to the membership. That approach was accepted by the court and now stands as precedent for how regulators can reach a headless protocol. The absence of a named legal entity did not stop the clock on service of process.
On June 9, 2023, the court entered a default judgment against Ooki DAO: a $643,542 civil monetary penalty, permanent bans on trading and registration, and an order requiring the DAO's website to be shut down. The underlying legal basis was a two-part holding — Ooki DAO qualifies as an unincorporated association under California law, and an unincorporated association is a "person" within the meaning of the Commodity Exchange Act. That combination meant the DAO could be sued, could be held liable, and could have a judgment enforced against it as an entity, with the attendant exposure that creates for its members.
The CFTC's Enforcement Director, Ian McGinley, put the agency's position plainly after the judgment: "This decision should serve as a wake-up call to anyone who believes they can circumvent the law by adopting a DAO structure." The record here is not speculative — there is a filed complaint, a docket, a default judgment with a specific dollar figure, and a protocol that was ordered offline. Web3 founders and governance token holders who treat decentralization as a liability shield need to account for what this case actually shows.
Personal Liability for Token Holders: Who Is Exposed and How
The Ooki DAO holding established that a DAO can be sued. The harder question — and the one that should concern every governance participant reading this — is which individual token holders become personally liable for the DAO's obligations. Three federal court decisions now map out a liability spectrum, and each tier of that spectrum is wider than most founders expect.
Tier 1: Active Voters
The CFTC's enforcement theory treats any governance token holder who cast a vote on any proposal as a member of an unincorporated association — and therefore personally exposed to the full judgment. What counts as a qualifying vote is not limited to high-stakes governance decisions. According to the CFTC's complaint, evidence of membership included votes to modify reward structures (participated in by holders of 91 million tokens) and votes to hire community managers (77 million tokens). Routine protocol housekeeping created the same exposure as a vote to launch a new product line.
CFTC Commissioner Mersinger, dissenting, illustrated the doctrine's arbitrary line: a token holder who votes on any governance proposal — even one with no connection to regulatory compliance — becomes a member with personal liability, while a holder who never votes avoids exposure entirely by that happenstance alone. That dissent is a fair description of the doctrine's current shape — but it is not a safe harbor. Voting is not the only path to exposure.
There is also a backward-looking dimension that creates lasting risk for anyone who participated historically. The CFTC left open the door to future enforcement actions against past governance participants — meaning founders and early contributors who sold their tokens months or years ago may still carry personal liability for votes they cast while they held those tokens.
Tier 2: Passive Holders
Choosing not to vote does not guarantee safety. In Sarcuni v. bZx DAO (S.D. Cal. Mar. 27, 2023), the court found that mere possession of BZRX governance tokens — without any voting activity — was sufficient to establish general partnership status. The court's language was unambiguous: "Any member of the DAO — i.e., anyone who possesses BZRX governance tokens — may be held liable for the putative misdeeds of the entire DAO." Under this theory, a token holder who purchased governance tokens, never voted, and never participated in forum discussions still faces joint and several liability for the protocol's obligations.
Passive holders are exposed on a different legal theory than active voters, but the practical outcome is the same: full personal liability for the DAO's debts and judgments.
Tier 3: Institutional Investors and Funds
Venture capital funds and institutional investors holding governance tokens face a third theory of exposure. In Samuels v. Lido DAO (N.D. Cal. 2024), the court found Paradigm, Andreessen Horowitz (a16z), and Dragonfly plausibly to be general partners of Lido DAO based on their governance participation and public statements supporting the protocol. The court found that intended governance participation, even without proof of actual votes, was sufficient to establish partnership liability. A fund that publicizes its support for a protocol, signals alignment with its governance direction, or participates in governance discussions — without necessarily casting a single on-chain vote — may satisfy this standard.
Why the Tier You're In May Not Matter: Joint and Several Liability
Across all three tiers, the liability mechanism is joint and several. That means any single exposed member can be required to pay the entire judgment — not their proportionate share of it. A holder of 0.1% of a DAO's governance tokens who voted once on an administrative proposal can, under this doctrine, be held personally responsible for 100% of a million-dollar judgment. The size of your token stake determines your governance weight; it does not limit your liability exposure.
The Unincorporated Association Theory: How Courts Get There
The legal mechanism courts use to reach DAO members is not novel — it is California's century-old unincorporated association statute applied to a new context. Under California Corporations Code § 18035(a), an unincorporated association is defined as "an unincorporated group of two or more persons joined by mutual consent for a common lawful purpose, whether organized for profit or not." A DAO with governance token holders proposing and voting on protocol changes meets that definition without difficulty. The harder question — and the one that determines whether liability is limited or unlimited — is which kind of unincorporated association the DAO is.
Courts have also closed the most intuitive escape route available to DAO defenders. In Samuels v. Lido DAO, the Northern District of California flatly rejected the argument that the protocol was merely self-executing code: "Lido's alleged actions are not those of an autonomous software program — they are the actions of an entity run by people." That framing matters because it shifts the analytical frame from software licensing to organizational law. Once a DAO is an entity run by people, the question becomes what kind of entity — and that determination controls everything downstream.
Two Tracks, Very Different Outcomes
The case law has produced a two-track liability framework. Track 1 applies to nonprofit unincorporated associations governed by the Uniform Unincorporated Nonprofit Association Act (UUNAA): members receive limited liability protection, insulating them from personal exposure for the organization's debts. Track 2 applies to for-profit DAOs, which courts classify as general partnerships under California Corporations Code § 16202. The partnership classification triggers unlimited, joint-and-several personal liability — and it applies regardless of an individual member's involvement in the specific misconduct at issue.
Most DeFi protocols land on Track 2. The operative facts in bZx DAO and Lido DAO were straightforward: token holders could propose governance changes, vote on treasury distributions, and hold tokens that generated yield or interest. Courts read those features as profit-sharing arrangements among partners, not charitable membership in a nonprofit. If a protocol distributes treasury rewards, pays yield to token holders, or lets governance participants capture economic upside, it is presenting as a for-profit enterprise under this analysis — which means general partnership, not UUNAA, and unlimited liability follows.
Entity Structures That Limit Exposure
The prior sections establish the liability landscape as courts have constructed it. The question every DAO founder and governance participant should be asking: what can actually be done about it? The answer is a legal wrapper — a recognized entity that stands between the protocol and its participants. But the choice of wrapper matters enormously, and none of them solve every problem.
Wyoming DAO LLC and the DUNA
Wyoming has gone further than any other U.S. jurisdiction to accommodate decentralized organizations. Under Wyoming Statutes §§ 17-31-101 et seq. (2021), a DAO can register as an LLC, giving members the standard LLC liability shield while explicitly recognizing on-chain governance through smart contracts and preventing the general partnership classification that courts have been applying by default. The 2024 Wyoming Decentralized Unincorporated Nonprofit Association (DUNA) statute extends that framework further: individual DUNA members are explicitly not held personally liable for the actions of the association or other members, and the statute permits smart contracts and distributed ledger technology as governance mechanisms. A16z crypto, which advocated for the DUNA, noted that without a recognized legal entity, DAOs face general partnership classification with what they called "untenable tax risk and legal liability" — and that the DUNA "works for 100 members just as well as it works for 10 million members."
There is, however, a critical limitation that no Wyoming structure resolves. The DUNA protects members from private civil liability between participants — it does not shield them from regulatory enforcement by sovereign authorities. A Wyoming DUNA would not have protected Ooki DAO members from CFTC enforcement. That is not a minor carve-out. For any protocol operating in regulated markets — commodities, derivatives, lending, or securities — the wrapper that matters most for the highest-stakes risk provides no protection at all.
Cayman Foundation Companies
For protocols seeking a more established and globally recognized structure, the Cayman Islands Foundation Company has become a preferred vehicle. Unlike traditional corporations, a foundation company has no shareholders — only a council and a defined purpose — which allows token-holder governance to direct the directors without creating conventional equity ownership. Participants are shielded from personal liability for the foundation's obligations. Uniswap, MakerDAO, dYdX, and ENS DAO have all used this structure. The Cayman approach works particularly well for protocols with significant international participation, where a U.S.-centric structure creates unnecessary regulatory surface area.
Marshall Islands DAO Act
The Marshall Islands DAO Act (2022) takes a different approach: DAOs register as LLCs with memberships recorded directly on the blockchain, built on that jurisdiction's 1996 LLC Act (itself modeled on Delaware's). The primary appeal is non-U.S. nexus — for protocols actively trying to minimize exposure to U.S. regulatory jurisdiction, the Marshall Islands structure offers an offshore option with explicit DAO recognition rather than relying on general LLC law adapted to a novel context.
The Wrapper Only Works If You Use It
Choosing a wrapper is step one. Using it correctly is step two, and this is where most implementations fail. A legal wrapper limits the DAO's liability only in transactions where the wrapper entity is the actual contracting and operating party. If the foundation signs contracts, the foundation is liable — not individual token holders. If the DAO's smart contracts operate independently and the wrapper entity is a nominal construct with no real operational role, courts will look through it. The majority of legal wrappers do not protect by default in all respects. Every material transaction, employment relationship, vendor agreement, and regulatory filing needs to run through the wrapper entity, not around it.
What DAO Founders and Active Members Should Do Now
The Ooki DAO enforcement and the cases that followed it draw a clear line: the time to structure a DAO for liability protection is before the first governance vote, not after the CFTC sends a complaint. The practical steps split into two paths depending on where you are today.
Path A: You Are Already Participating in a Live DAO
If you are an active governance voter or token holder in an unincorporated DAO, your exposure is present tense. The CFTC's theory in the Ooki matter penalized the bZeroX founders not only for what they built, but specifically because they voted on governance proposals as token holders after handing control to the DAO — treating the act of voting itself as a basis for liability. That framing applies to any active participant, not just founders.
- Interpose a personal entity now. Forming an LLC to hold your governance tokens and through which you cast votes creates a liability shield between your personal assets and any claim against the DAO. The DAO adopting a wrapper entity on its end does not protect you individually — your own legal entity is a separate step.
- Audit your prior participation record. If you voted on proposals that touched financial products, swaps, or securities-adjacent activity, document what you voted on and why. Retroactive wrapping cannot shield past governance exposure — that history already exists on-chain and in the regulatory record.
- Get coordinated regulatory advice. DeFi protocols commonly sit at the intersection of CFTC jurisdiction (commodity futures and swaps) and SEC jurisdiction (securities). Both agencies have demonstrated willingness to act. A single advisor who covers only one regulatory lane is not enough.
Path B: You Are Designing a Protocol or DAO from Scratch
Founders building new protocols have structural optionality that existing participants have already spent. The most expensive mistake is treating entity selection as a post-launch checkbox. Legal wrapper choice — Wyoming DUNA, Marshall Islands DAO LLC, Cayman foundation, or another jurisdiction-appropriate structure — should be locked in before token issuance and before the first governance proposal is published.
- Adopt governance hygiene from day one. Store governance agreements as IPFS-hashed documents, maintain a public list of authorized key addresses, and use time-locked auto-execution contracts for routine transactions. These practices build a clean record for the wrapper entity that regulators and courts can actually examine.
- Address KYC/AML requirements proactively. Under emerging compliance pressure on wrapped DAOs, beneficial owners holding 10–25% or more of voting power will likely require KYC checks. Institutional holders should be on notice of this obligation before they acquire meaningful governance stakes.
- Separate operational entities from governance tokens. Founders should not hold governance tokens in their own names if a personal LLC or equivalent entity can hold them instead. The liability shield is structural — it only works if the structure exists before the exposure materializes.
- Retain counsel qualified across both CFTC and SEC domains before token issuance. The regulatory question is not whether your token is a security or a commodity — it is potentially both, under two agencies with overlapping but distinct enforcement frameworks. Issuance decisions made without that dual-lane analysis carry compounding risk.
The thread connecting both paths is timing. Entity structure, governance documentation, and regulatory compliance positioning all become harder and more expensive the longer a DAO operates without them. The Ooki case is the clearest available proof of what deferred structuring costs — and that bill arrived before most participants understood they owed it.
Get Ahead of the Liability Curve
DAO liability doctrine is moving fast, and the courts have shown no interest in slowing it down. Whether you are a founder who has already launched a governance token, an institutional investor with meaningful voting power, or a builder at the design stage for a new protocol, the structural decisions you make — or defer — in the next few months will determine your exposure for years. The right counsel covers both the regulatory layer (CFTC, SEC) and the entity structure layer (wrapper selection, governance hygiene, personal shielding) at the same time.
Promise Legal works with Web3 founders and DeFi teams on entity structure, regulatory strategy, and governance documentation. If your protocol is operating without a legal wrapper — or if you're not sure whether your existing structure is actually protecting you — get in touch.