The Liability Thesis — Shades of Legality from Green to Red
Code, Deploy, Collect — Part III of V
Kale Pasch, CFA, JD9 min read·Just now--
Mapping the Regulatory Spectrum
Every smart contract protocol occupies a position on a regulatory spectrum. That position determines not just the probability of enforcement action but the category of potential liability — civil versus criminal, federal versus state, securities versus commodity versus money transmission. The following framework maps the spectrum from lowest to highest risk.
Zone Green: Strongly Defensible.
A protocol in Zone Green satisfies all of the following conditions: core contracts are immutable (no proxy patterns, no upgrade functions, no admin keys); the developer has renounced ownership by transferring the admin address to the zero address or a dead contract; no single entity holds more than 5% of governance tokens; governance decisions require supermajority approval with multi-day timelocks; the developer operates a legally separate entity that charges for frontend access only; and the developer does not submit governance proposals, manage treasury funds, or make parameter recommendations.
This is the Uniswap V2/V3 model at its purest. The Second Circuit has ruled that developers in this position are “too peripheral to the transactions to be liable.” The SEC has closed its investigation without charges. The regulatory risk is as low as it can be in the current environment — which is not zero, but is defensible.
Zone Yellow: Defensible with Risk.
A protocol in Zone Yellow departs from Zone Green in one or more of the following ways: the developer retains a governance token stake exceeding 5% but less than 20%; contracts use proxy architecture but upgrades require governance approval and 48-hour timelocks; the developer submits governance proposals but does not control sufficient tokens to ensure passage; the developer provides parameter recommendations that governance independently evaluates; or the developer collects service fees from the DAO for ongoing development work.
This is the Aave Labs / Compound Labs model. The developer is materially involved in the protocol’s ongoing operation, but governance provides a genuine check on developer authority. The regulatory risk is moderate: the protocol’s tokens may be securities under an aggressive Howey analysis (the developer’s continued involvement constitutes “efforts of others”), but the governance structure provides a defense that no court has yet rejected in a contested proceeding.
Zone Orange: Elevated Risk.
A protocol in Zone Orange exhibits one or more of the following characteristics: the developer holds more than 20% of governance tokens; contracts can be upgraded by a multisig controlled by the developer and two to four associates; timelocks are 24 hours or less; the developer unilaterally sets fee percentages, interest rates, or collateral parameters; or the developer manages protocol treasury funds with only informal community input.
This is the architecture of most new DeFi protocols in their first twelve to twenty-four months — the “progressive decentralization” phase where the development team retains substantial control while building toward a more decentralized governance structure. The regulatory risk is significant: the protocol’s tokens are likely securities under Howey, the developer is likely operating an unregistered exchange or lending platform, and the state money transmission analysis is unfavorable in most jurisdictions. The defense is temporal — the team is moving toward decentralization — but temporal defenses require evidence of actual progress, not aspirational roadmaps.
Zone Red: Presumptive Violation.
A protocol in Zone Red is characterized by: single-key admin control; no governance mechanism; the ability to pause, drain, or modify the contract unilaterally; tokens marketed with price appreciation as the primary value proposition; or the developer and the protocol are the same entity with no legal separation.
This is a centralized financial service deployed on a blockchain. The technology is decentralized; the operation is not. Every regulatory framework — securities, commodities, money transmission, consumer protection — applies with full force. The blockchain deployment provides no legal insulation. The developer is operating an unregistered exchange, broker-dealer, money transmitter, or lending platform, depending on the protocol’s function.
The Criminal Liability Question
The gradient above addresses civil regulatory liability — SEC enforcement actions, CFTC orders, state money transmission violations. But the Tornado Cash prosecution introduces a separate dimension: criminal liability for developers whose protocols are used to facilitate crimes, regardless of the developer’s intent.
Roman Storm faced charges under 18 U.S.C. § 1956 (money laundering conspiracy), the International Emergency Economic Powers Act (sanctions violations), and 18 U.S.C. § 1960 (unlicensed money transmitting business). The prosecution’s theory was that Storm knew Tornado Cash was being used to launder proceeds from North Korean hacking operations and continued operating the protocol’s relayer infrastructure. The defense argued that Storm wrote and published open-source code — an act protected by the First Amendment — and that the protocol’s immutable contracts cannot constitute a “business” that Storm “operates.”
The trial concluded in August 2025 with a split verdict. A Southern District of New York jury convicted Storm on the § 1960 count — conspiracy to operate an unlicensed money transmitting business — but deadlocked on the money laundering and sanctions conspiracy charges, the two counts carrying up to 20 years each. Judge Katherine Polk Failla declined prosecutors’ request to remand Storm to custody, and he remains free on bail pending sentencing. In March 2026, the DOJ moved to retry the hung counts, proposing an October 2026 start date; Storm’s motion for judgment of acquittal on the money-transmitting conviction was argued in April 2026 and is awaiting a ruling.
The mixed outcome is itself the precedent. The jury’s unwillingness to convict on money laundering and sanctions — the charges that most directly test the “code is speech” defense — suggests real discomfort with holding a developer criminally liable for how third parties use immutable contracts. But the § 1960 conviction establishes that operating relayer infrastructure and a front-end can, by itself, expose a developer to federal criminal liability, even without a finding of laundering intent. Developers cannot rely on the First Amendment to cover operational choices that look like running a business.
The prudent smart contract founder operates as if the criminal boundary is narrower than the civil boundary, and narrower still around anything that resembles active operation rather than pure code publication. Civil liability can be managed through corporate structure, insurance, and legal compliance. Criminal liability cannot.
The DAO Wrapper Problem
The Ooki DAO and Lido DAO decisions create a specific problem for the smart contract startup model: if a developer deploys a protocol with governance tokens and those tokens are held to create a general partnership or unincorporated association, every token holder — including the developer — may face personal liability for the protocol’s actions.
The solution that the industry has adopted is the legal “wrapper” — a formal legal entity that interfaces between the on-chain DAO and the off-chain legal system. The Cayman Islands Foundation Company is the most common structure: an ownerless foundation formed under the Cayman Islands Foundation Companies Act of 2017, with directors who execute governance-approved proposals and a constitution that maps on-chain voting to off-chain legal authority. The advantages include asset protection, tax neutrality (no capital gains, income, or inheritance taxes), fast formation (two to four weeks), and relatively low cost. The disadvantage is that Cayman’s Virtual Assets Service Provider regime requires KYC for beneficial members holding 25% or more of governance tokens — a requirement that may conflict with the pseudonymous ethos of DeFi governance.
Wyoming’s DAO LLC statute, Tennessee’s DAO legislation, and Utah’s Decentralized Autonomous Organizations Act provide domestic alternatives that extend LLC-style limited liability to DAO members. But domestic formation brings domestic regulatory obligations — state securities registration, federal tax reporting, and potential designation as a money services business under FinCEN rules.
The hybrid model is essentially a response to a structural problem crypto couldn’t solve on pure ideology: decentralized protocols still have to interface with a legal system built around identifiable persons. Courts need someone to sue, regulators need someone to license, counterparties need someone to sign contracts, and tax authorities need someone to file returns. A pure on-chain DAO offers none of that — it is a smart contract and a set of wallets, not a legal person. The hybrid model accepts this mismatch and layers a conventional legal structure underneath the governance layer, so that each function sits with an actor the legal system can actually address.
The on-chain layer handles what blockchains are good at: transparent, rule-bound, token-weighted decisions. Proposals to change protocol parameters, allocate treasury funds, authorize grants, or approve upgrades are put to holders and executed by the contracts themselves. This is where the “decentralization” story lives, and it is the layer regulators look at when deciding whether a token is sufficiently decentralized to escape securities treatment. But the DAO itself cannot sign a lease, hire a lawyer, or pay a developer in fiat. Those tasks fall to the off-chain entity.
The entity — typically a Cayman Islands foundation company, a Swiss Stiftung, a Marshall Islands DAO LLC, or a Delaware nonprofit — is the legal vehicle that gives the protocol a mouth and a hand in the real world. It has a charter describing its purpose, a board or council with defined duties, and the capacity to contract, sue, be sued, and hold assets. When the DAO votes to fund a security audit, the foundation signs the engagement letter. When the DAO votes to support a grants program, the foundation disburses the funds. Its liability is circumscribed by its charter: it can only do what it was formed to do, and its directors owe duties only within that scope. Critically, because it is a separate legal person, it absorbs liability that would otherwise flow through to token holders — the same way a corporation shields its shareholders. Without the entity, plaintiffs can argue that token holders form a general partnership, which is exactly the theory the CFTC used against Ooki DAO.
The developer sits outside both. Rather than being an employee of the foundation or a de facto principal of the DAO, the developer contracts with the foundation as an independent service provider — often through a development company (Uniswap Labs, OP Labs, Compound Labs) that contracts with a corresponding foundation (Uniswap Foundation, Optimism Foundation, Compound Grants). The service agreement defines the work: write code to this specification, deliver by this date, for this fee. The developer’s liability is limited to that scope — breach of contract, professional negligence within the defined work — and does not extend to how the protocol is governed or how users deploy it. This separation is what lets a developer say, with some legal force, “I am not the protocol. I am a contractor who built software for an entity that deployed it, and governance of that software now belongs to token holders.”
What makes this “structuring rather than eliminating” liability is that each actor still bears real exposure, but the exposure is bounded and predictable. The developer can be sued for failing to deliver working code, not for how the code is used by a sanctioned wallet. The foundation can be sued for breaching its charter or mismanaging treasury funds, not for the aggregate behavior of every token holder. Token holders can lose the value of their tokens and, in the worst case, face securities or tax exposure tied to their holdings, but they are not joint-and-severally liable for everything the protocol does. Liability becomes a set of defined boxes instead of an undifferentiated pool.
The model’s weakness is that it only works if the separation is real. Courts and regulators look at economic substance, not labels. If the “foundation” simply rubber-stamps whatever the development company wants, if the “DAO vote” is controlled by founder-held tokens, or if the developer holds admin keys that bypass governance entirely, the structure collapses and everyone inside it is treated as one actor. The Roman Storm prosecution is instructive here: Tornado Cash had a DAO and immutable contracts, but the government focused on Storm’s operational role — the relayer, the front-end, the fees flowing to the developers — and the foundation-style formalities did not insulate him. The hybrid model is a necessary foundation for limited liability in decentralized systems, but it is not a magic wrapper. It works only to the extent that the roles it describes actually reflect how the protocol operates.
—
Continue to Part IV.
