Personal legal liability of being a bounty curator/multisig operator

image1536×768 119 KB

(writing this as a person without proper legal training, please don’t trust this text and feel free to correct my mistakes)

As OpenGov.Watch, we have become involved in being curators for 3 different bounties. In the process of navigating this field, the question of legal liability as a member of such a structure comes up. What will authorities think when me and my 6 crypto bros are moving one million DOT from a DAO multisig to that football club without doing any KYB/AML checks? What about that invoice that just has “Gemhunter69” as a name? Who is responsible when shit hits the fan?

There are no best practice guides available to us while at the same time, there are clear implied risks. In this post, I want to discuss our current thoughts on the topic.

DAOs are alegal, humans are not

DAOs are alegal structures. They are stubbornly executed according to their rules on monotone state transition machines and do not concern themselves with the legal scopes within which they are operated. That leads some to think that what happens in the DAO stays in the DAO. But that is not the case.

As much as DAOs do not care about the jurisdictions in which they operate, jurisdictions do not care that the humans that use a DAO hope that the DAO will shield them from legal repercussions.

Typically when you want to move a lot of money on behalf of someone else, you do not do it as a private person but rather set up some form of vehicle. An LLC or some other type of incorporated company. In DAOland, people seem to think that the DAO itself acts as the vehicle.

The problem is that unincorporated organizations typically present the highest level of risk for the individuals acting within them. In my jurisdiction and I assume in many others, unincorporated organizations default to joint liability. Everyone acting within that body can be held fully liable for the damages incurred by that body, even when caused by others.

I think the same will apply to subDAOs like bounties and multisigs acting on behalf of the DAO. They are unincorporated and have no legal structure. As such it is just a bunch of people acting together and using the DAO as a tool, similar to a bank account.

In other words, if a certain bounty were engaged in money laundering, every curator of that bounty might be the target of legal enforcement action.

These are all assumptions based on my crude understanding of the law. From this perspective, it would seem prudent to assume a defensive stance when acting in uncharted territory.

We need legal guidance to reduce the uncertainty in this area.

How OGW will act going forward

As OpenGov.Watch, we want to support the bounties we are operating in while protecting ourselves from legal risk. We will look out for which standards to apply when dealing with invoices and contracting service providers. We will also start consulting with legal advisors to learn what actions do not present risks and which do.

For now, for any payment that is requested from us to co-sign (as part of a bounty, etc), we will establish a minimum standard that asks contractors to present an invoice that contains a date, full name, full address, company registration number if applicable, and invoice number is presented.

How to continue the discussion

It is still unclear to us how to navigate the field, but at minimum, we want to be able to prove we put in reasonable effort in case authorities ever knock on our doors.

We think it would be good to start a discussion of how to structure subDAOs like bounties so that there is clarity for the bounty curators and operators.

It would be great if the Web3 Foundation could get involved and publicly share opinions or some other form of common good legal guidance could be funded.

Some questions to discuss:

• should subDAOs perform KYB/AML checks with contractors?
• can we still protect the identity of contractors?
• which jurisdictions provide the most clarity?
• are there certain countries where it is convenient to open a business to operate from as a bounty curator?

Really interesting discussion.

IMV

Curators who have been selected (and elected) to handle funds are done so by the greater Polkadot community, therefore any risk of mismanagement is the responsibility of the community in vote to oversee and remove any bad actors.

Of course, this means extra diligence taken when selecting these curator sets and transparency by each bounty a must.

On the side of the curators, every individual is responsible for their own legal well being - there definitely are pros and cons to both sides - dox vs anonymous.

In many cases, doxxing may actually help your case if there were any legal ramifications, for example, in some countries, operating as an incorporated entity removes the individual from any liability to company activities.

Taking an anonymous route, however, one could potentially disappear if things got too heated - however this also opens up the floor for ‘bad activities’ - again placing importance on the selection of curator sets and bounty health.

As for companies and contracted services (bounties managing and acquiring services) - no doubt there needs to be a paper trail from the company who is contracted for services.

Quotes, Invoices, Contracts, Company info, Contact, Point of Contact etc…

It is the job of the curator set to do as much due diligence on their contractors / submission request for funds as possible.

Very exciting topic.

J.

It depends on the laws that apply to the signing party, it’s legal status and liabilities, and the laws over digital signatures (like eIDAS in EU). But, in case of crime I guess that all of this doesn’t matter that much for the local authorities and the weight of legal evidence will outweigh other considerations in a court. The thing is that should be something really big to scale to international instances and affect all the international involved parties, idk which cases, maybe international money laundering that is not blessed by a powerful enough nation or power flips on such matters, as well terrorism financing…

Could this be a solution?

1. Bounty decides to fund a recipient, call it “Bob LLC.”
2. Bounty transfers funds to an escrow account managed by the Polkadot Community Foundation (PCF).
3. PCF conducts KYB on Bob LLC.
4. Once KYB is cleared, PCF distributes funds to Bob LLC.

This is the process that was followed for Ref #1173 (Ledger Giveaway)

Screenshot 2024-11-30 at 15.04.171720×968 42.7 KB

This process would also address a frequent question: “who do I address my invoice to?”

In many jurisdictions, addressing an invoice to “Polkadot DAO” or “Polkadot Treasury” is problematic for tax compliance bc it lacks critical details such as an address, entity registration number, or VAT number.

Addressing the invoice to PCF would reduce administrative challenges for both curators and recipients.

A solution to eliminate liabilities of the PCF?

No, they still have the same responsibilities, risks and liabilities. Choosing a poorly performing escrow company to “make things easy” will still land you in the same trouble as awarding the bounty to a shady bounty winner.
If one does due diligence and audits their bounty recipients and processes, and then doesn’t audit (or ask for reputable 3rd party audit reports) of their escrow partners, that means they likely use escrow services to get around auditing.

A solution for obfuscation and less immediate scrutiny? Perhaps. It doesn’t get anyone off the hook, though.

This is a different issue from liability and the solution is simple - the DAO should fix this nonsense on its side and provide these details. Of course they wouldn’t have an EU VAT number if they’re not in the EU - that’s no different from invoicing a corporate client from South Korea for your translation service.

No, a solution to eliminated the liabilities of Bounty Curators, which is the problem the OP is trying to find a solution for.

My suggestion assumes the PCF has the knowledge, manpower, legal resources and authority to perform DD on recipients of Treasury funds.

The Polkadot DAO voted to fund the creation of the PCF for these exact purposes, to represent DOT holders IRL: Ref# 820 Proposal: Establish the Polkadot Community Foundation to represent DOT holders IRL | Polkassembly

The PCF can enter into agreements with partners, vendors and service providers.

Screenshot 2024-12-02 at 12.36.43727×358 41.7 KB

Further, the DAO may delegate specific tasks to the PCF.

Screenshot 2024-12-02 at 12.39.36724×241 35.7 KB

The DAO does not have a physical address… which is why I suggested using the PCF’s address.

You can hear Chrissy speak about it here at 17:02

This is a really important topic, and the risks for bounty curators and even token holders definitely need more attention. One idea that might be interesting is setting up an indemnification mechanism to cover legal fees for token holders/curators who face the direct consequence of their participation in on-chain governance, either subpoenaed or actually sued by a third party and/or a regulatory body. Other projects like MakerDAO and Sushiswap have introduced similar setups, so it’s not uncharted territory.

For bounty curators, this could act as a buffer against personal liability when carrying out responsibilities like approving payments or managing funds. The same could apply to token holders actively involved in OpenGov, especially with cases like the CFTC vs OOKI DAO showing how courts might treat token holders.

Of course, the details would need to be worked out: how it’s funded, who’s eligible, and how to avoid abuse, but it might be an interesting starting point to reduce the risks for active contributors.

Why would anyone in decision loop be excluded from legal scrutiny?
As the subject states, all multi-sign operators are involved in authorizing such payments (as well as checking on and deciding about proposals).

Yes, using the PCF address would make sense.

Hi Otar, what are your thoughts on using the PCF as an intermediary between fund recipients and curators?

I’m not against the idea of involving the PCF, but I do wonder how the process would balance the roles of curators and the PCF if it were implemented. For example, would curators still have full authority to approve deliverables and decide payouts, with the PCF acting purely as a compliance check? Or would the PCF need to double-approve decisions, effectively turning curators into administrators rather than decision-makers? I think, based on the approach, it’s worth questioning whether the PCF would truly remove legal liability from curators or merely shift some of it.

Also, how would this work for child bounties, which are meant to allow curators to allocate funds on-chain quickly and flexibly? Would every child bounty payout require the same PCF coordination, and if so, wouldn’t that undermine the efficiency that makes bounties so effective in the first place?

Using the PCF as an intermediary to disburse funds and conduct KYB verifications seems like a solid and well-reasoned solution. I believe this approach can significantly mitigate legal risks for curators.

That said, I must ask: Does the PCF have the operational capacity to handle a high volume of cases? It may be necessary to adapt the PCF’s infrastructure to ensure it can conduct verifications efficiently and without delays.

Would it be possible to incorporate the identity verification process used by Polimec? Such a system could make the process more automated and decentralized, aligning better with the principles of our ecosystem.

Doesn’t seem that the PCF can exonerate any kind of liability, but can be a filter with it’s own due diligence to veto right on all decisions. Anyway if the due diligence goes wrong and incurs in facilitating criminal activities the curators signing are liable as well (partners in crime, that seems obvious, and in criminal law afaik is the individual who carries the liability, as it should be, the limited liability of a company does not apply in such cases).

For example, financing “soft rug pulls” would be not a criminal act in many jurisdictions, “hard rug pulls” probably yes. But this is a gray are that can change at any moment and maybe with retroactive consequences.

Maybe I’m missing something.