On 25 March 2022, as reported inter alia by Bird & Bird who acted for the successful defendants, the High Court of Justice in England (hereinafter the “High Court” or “Court”) rendered its eagerly-awaited judgment in the dispute between Tulip Trading Limited v Bitcoin Association & others.
An alleged hack had prevented Tulip Trading Limited (“TTL”), or more precisely its CEO, Dr Craig Wright, from accessing over a million dollars’ worth of digital currency assets held at two addresses within the relevant networks (the “Networks”). TTL sought to hold the networks and their core developers accountable, notably on the basis that they owed users a fiduciary duty to counter the effects of the hack and allow Dr Wright access to his assets.
This is a ground-breaking development for the blockchain and cryptocurrency community that provides important insight into the application of English law to the digital economy.
The decision deals with several procedural applications made by the Parties. This comment focuses on the Court’s treatment of the claimant’s allegation that the defendants were in breach of the common-law tort of fiduciary duty and thereby liable for the loss of the claimant’s digital currency as a result of the alleged hack.
Dr Wright explained that, on 8 February 2020, he accessed his wallet and noticed transactions that neither he nor his wife had actioned, and which had occurred a few days before. He further noticed that the system logs had been erased, along with the encrypted files in which he kept his private keys. He reported the hack to the police, however the judgment notes that there was no indication that material progress was ever made in identifying the perpetrators.
Some of the defendants were located abroad and challenged the Court exercising jurisdiction over them. The claimant applied for permission to serve proceedings out of the jurisdiction. In considering whether permission to serve out should be granted, the Court had to apply the general principles governing service out including, importantly, that there be a serious issue to be tried and that the claimant have a good arguable case.
It is in this context that Mrs Justice Falk considered inter alia the possible fiduciary and tortious duties which, on the claimant’s case, the defendants might owe to TTL. While the Court found that no such duties existed, its reasoning is worth exploring in greater detail.
Serious issue to be tried
Mrs Justice Falk was satisfied that there was a serious issue to be tried that TTL was the owner of the vanished bitcoin, and that there was a plausible evidentiary basis for the claimant’s proposition that a hack had occurred.
Good arguable case
TTL claimed that the defendants owed it fiduciary duties, as a consequence of which they were or could be required to take all reasonable steps to provide TTL with access to and control of the stolen bitcoin, and to take all reasonable steps to ensure that effect not be given to the fraud. The failure to take such steps, said TTL, amounted to a breach of fiduciary duty, which justified an order requiring such steps to be taken and/or equitable compensation.
As to this, after an exhaustive review of the caselaw put before her, Mrs Justice Falk said that she was unable to conclude that TTL had a realistic prospect of establishing that the facts pleaded amounted to a breach of fiduciary duty owed by the defendants to TTL. It is worth recalling that the threshold for fiduciary duty in English law is high: it requires a demonstration that the fiduciary has undertaken a duty to act solely in the interests of the principal.
Mrs Justice Falk noted that one “difficult part” of TTL’s case was that it was founded on duties allegedly owed to all owners of digital assets recorded on the Networks, “who are by definition an anonymous and fluctuating class with whom the defendants have no direct communication, and certainly no contractual relationship.”
Against the notion that the developers owed a duty to introduce a software patch to enable TTL to regain control of its assets, Mrs Justice Falk found that:
“[D]evelopers are a fluctuating body of individuals. As a general proposition it cannot realistically be argued that they owe continuing obligations to, for example, remain as developers and make future updates whenever it might be in the interests of users to do so.”
Mrs Justice Falk added that the obligation of undivided loyalty, the distinguishing feature of fiduciary relationship, would be owed to all users of the Networks, and not only to the claimant. Yet the change sought by the claimant might be to the disadvantage of other users. This, Mrs Justice Falk said, was fatal to the claimant’s fiduciary duty argument.
Duty of care
TTL claimed that the defendants were in breach of a duty of care by failing to include in the software the means to allow users of the Networks to recover their private keys in the event of a loss or theft and more generally to include sufficient safeguards against wrongdoing by third parties.
As regards the tortious duties, Mrs Justice Falk first set out principles in detail in order to assess whether they could find application in this unprecedented scenario. Mrs Justice Falk considered that the complaint made was of failures to protect or act, as opposed to addressing bugs or other defects that would threaten the operation of the Networks. There was no allegation that any of the defendants was involved in the alleged hack or that they had acted in a way that had created or increased the risk of harm. Bearing in mind that the loss was purely economic, Mrs Justice Falk could not see a basis to depart from the general rule that the law imposes no duty of care to prevent third parties causing loss or damage. The Court also took into account the unlimited nature of the class to whom a tortious duty would be owed, as well as its open-ended scope.
The disclaimer in the software licence
Interestingly, the Court referred to the disclaimer contained in the software licence, which reads as follows: “[…] In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort of otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.”
On this point, Mrs Justice Falk considered the wording to be broad and possibly not reasonably understood as meaning that controllers of the relevant Networks assume no responsibility. The Court’s remarks may offer guidance for drafters wishing to ensure the exclusion of liability through software licences.
In addition, the High Court included an interesting, albeit probably not unexpected, observation regarding the possibility for legislative developments to cater for similar situations. While the Court considered that there was no foundation for TTL’s claims under existing law, it expressly referred to the Law Commission’s project on digital assets, which considers inter alia the appropriate legal remedies and/or actions, and the possible resulting future developments of the law.
The Court made several references to the Law Commission’s project on digital assets, as well as the UK Cryptoassets Taskforce. These references demonstrate the Court’s recognition of the practical importance of the reports, statements and analyses carried out by these bodies.
The core of the Court’s decision pits the values of blockchain against off-chain, legacy principles of law. The blockchain is premised on a decentralised, a-legal space (here it may be of interest to point out that Dr Wright, the claimant’s CEO, claims to be Satoshi Nakamoto, the creator of bitcoin). The claimant’s decision to frame its case as one of fiduciary duty was risky given that, in English law, the evidentiary hurdle of demonstrating that the defendants agreed to act in the sole interests of users of the Networks is high. While somewhat rare, breaches in network happen, as evidenced by the recent Ronin breach. With increasingly important on-chain activity, the provision of an efficient and reliable dispute resolution mechanism will need to be addressed. Whether the release of a specific patch to give back control, as per the claimant’s request, or the option to activate a fork, like in the case of the Ethereum DAO Hack, are viable remains to be assessed.
Finally, the impact of this decision on the arbitration of future blockchain disputes is an open question. A different applicable law might recognise that duties of care are owed to users by blockchain platforms and/or core developers. Against this background, considerations relating to forum shopping and principles of private international law are relevant. Indeed, a harmonized legal framework for blockchain-related legal issues, whilst it is the subject of emerging initiatives, does not appear likely in the foreseeable future; thus, outcomes are likely to vary depending on the relevant law and/or jurisdiction. As part of a wider discussion, one would encourage arbitration services providers to design a version of the arbitral process that provides blockchain disputes with the flexibility and speed that are the staples of the Web3 economy.