Contract Language Limits Recovery in Singh, et al v. Illusory Systems, Inc., et al

The widespread and debilitating impacts of the recent faulty Crowdstrike® software update has caused businesses to evaluate processes and examine potential claims and defenses related to the deleterious commercial impacts of that occurrence. Unfortunately, that event is just another blip on the radar of seemingly weekly, massive data breaches, identity theft hacks, and ransomware attacks. Against this backdrop, blockchains are presented as figurative ports in storms of uncertainty. Blockchain promoters identify that technology’s potential for enhanced transactional security and use as a functional means of exchange, for things like cryptocurrency, outside of traditional structures.

While blockchains are emerging technologies, they are mediums of exchange and, at bottom, serve the same roles as other, more traditional, exchanges. A blockchain is a type of database or ledger that records transactions. Blockchains’ structures may promote transparency and security, but that does not guarantee that blockchains can be used risk-free. Vulnerabilities exist and malicious actors are ever-present.

Despite the emerging and futuristic nature of blockchains and cryptography, the law features some basic and time-tested contract principles that still apply when things do not go as planned. Those contract principles can serve to limit recovery in failed business dealings, disrupted internet business transactions, or even in situations where malevolent actors have hacked data or stolen money.

For those using blockchains to facilitate their business and economic affairs, understanding risk allocations and potential liabilities prior to transacting is just as critical as using any other transactional tool, whether it be hardware, software, or a piece of equipment. Indeed, regardless of the subject matter or mechanisms of a business deal, contracting parties and their legal counsel need to be careful to review their contracts for things like sweeping limitations of damages provisions.

These broad damages limitation provisions can be problematic if one is a plaintiff in a contract dispute. But the absence of a broad damages limitation provision in a contract, or a poorly drafted provision, could be detrimental to a defendant. Thus, contractual damage and risk of loss provisions are important to both sides in any contract – and in any lawsuit between contracting parties. Plaintiffs must determine whether they can bring contract claims or tort claims to seek remedies. The relevant contract language will help make that determination and frame the claims and defenses. This is amply illustrated in the United States District Court for the District of Delaware’s March 29, 2024 Memorandum Order resolving Motions to Dismiss in the Singh, et al v. Illusory Systems, Inc., et al, ____ F.3d ____, CA. No. 23-183 (D. Del. 2024)class action.

The Background

The Singh class action arose from a blockchain hack. Defendant Illusory Systems, Inc., a Delaware corporation whose principal place of business was in Utah, had developed a bridge between two blockchains. Blockchain bridges facilitate transfers from one independent blockchain to another. Illusory Systems, Inc.’s blockchain bridge was called the “Nomad Bridge”. The Nomad Bridge was controlled by the holders of 5 cryptographic keys. Illusory Systems, Inc. held 2 keys. Its co-defendants, Archetype Crypto II, LLC, Connect Labs, Inc., Ethereal Ventures Partners I, LP, and Consensus Mesh collectively held the other 5 cryptographic keys to the Nomad Bridge.

Plaintiff, Mannu Singh, was an individual cryptocurrency investor who used the Nomad Bridge in June and July 2022 to move his cryptocurrency assets between blockchains. The other plaintiff, Iagon AS, was a blockchain operator that used the Nomad Bridge to move its proprietary tokens in April 2022. In August 2022, Illusory Systems, Inc. updated the Nomad Bridge. That update introduced a vulnerability to the Nomad Bridge that was exploited by malicious actors. Those actors engaged in fraudulent transactions that resulted in a loss of $186 Million in assets. The Nomad Bridge hack drained $172,000 of Mr. Singh’s cryptocurrency and $4.2 Million of Iagon AS’s assets.

The Lawsuit

Seeking to recover their losses, Mr Singh and Iagon AS sued Illusory Systems, Inc. along with the other Nomad Bridge cryptographic keyholders. The plaintiffs also sued Circle Internet Financial, LLC, and a number of investors, Coinbase, Inc., Ozone Networks Inc., and Polychain Alchemy, LLC. In the suit, the plaintiffs asserted claims for violating the federal Racketeer Influenced and Corrupt Organizations Act (“RICO”) statute, conspiracy to violate the federal RICO statute, negligence, conversion and fraud. The federal district court dismissed all but the fraud claim. The Court found that the RICO-related claims lacked a causal nexus between the alleged racketeering activity and the damages that were incurred. The negligence and conversion claims were dismissed because they impermissibly sought relief under tort theories for damages barred by the parties’ contracts.

New Technologies Do Not Mean New Legal Principles

Despite the emerging use of blockchains as means of transacting business and the relatively new use of cryptocurrencies as mediums of exchange from one party to another, the District Court applied traditional legal principles to address the legal sufficiency of the plaintiffs’ claims. Just because a technology is new does not mean that new or different legal rules apply to claims or defenses.

The District Court found that the plaintiffs failed to plead a viable RICO cause of action and dismissed the RICO and related conspiracy claims. The plaintiffs alleged that the defendants violated the RICO statute by operating an unlicensed money transaction business and wire fraud. But, at the same time, the plaintiffs pleaded that their losses emanated from malicious actors’ fraudulent actions exploiting a vulnerability and hacking the Nomad Bridge. The District Court found that the pleaded malicious acts by third parties exploiting the Nomad Bridge vulnerability interrupted the causal link between the alleged RICO violations and the plaintiffs’ losses. The District Court disagreed with the plaintiffs’ assertions that defendants’ implementation of, or adherence to, regulatory compliance measures would have avoided the claimed losses at the hands of malicious actors taking advantage of a technological vulnerability and hacking the Nomad Bridge.

The District Court reviewed the pleaded tort claims of negligence, conversion and fraud. The principal obstacles to those tort claims were the contracts between the plaintiffs and defendant Illusory Systems, Inc. Plaintiff Singh was party to a “Terms of Use” agreement with Illusory Systems, Inc.. Iagon AS’s use of the Nomad Bridge was subject to an “Apache License” with Illusory Systems, Inc.. Both contracts contained comprehensive limitations of liability that essentially foreclosed the plaintiffs’ ability to pursue damages under contract theories.

The District Court observed that in the “Terms of Use” with Illusory Systems, Inc., “Mr. Singh acknowledged he was ‘access[ing]’ and ‘us[ing]’ the Nomad Bridge at his ‘sole risk’, ‘AS IS’, and that he could not recover ‘for any breach of security’ or any hacks by third parties, including through ‘phishing,’ ‘bruteforcing,’ or ‘other means of attack against the’ Nomad Bridge.” Likewise, the court noted that the “Apache License” “authorized Iagon to ‘reproduce’, ‘distribute’ and ‘modif[y]’ the Nomad Bridge code” and “[i]n return, Iagon agreed that it was ‘solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License’ and using the code on an “ ‘AS IS’ BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND” ․” In addition to that, the “Apache License” between Iagon AS and Illusory Systems, Inc. contained a provision stating:

Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.

Finding little dispute between the parties about the applicability of the “Terms of Use” and the “Apache License”, the District Court concluded that those contracts applied and shaped the available remedies. Those contracts barred recovery under a breach of contract theory, leaving the plaintiffs to plead negligence claims.

As it appears that Utah law governed the “Terms of Use” and the “Apache License”, the plaintiffs’ tort claims could only proceed if they were not barred by Utah's economic loss rule. That precludes a party from recovering damages under a tort theory when a contract covers the subject matter of the dispute. See, Reighard v. Yates, 285 P.3d 1168, 1174 (Utah 2012). Attempting to avoid the economic loss rule, the plaintiffs theorized that Illusory Systems, Inc. and the Nomad Bridge cryptographic keyholders owed duties of care to secure and maintain users' funds on the Nomad Bridge that were independent of their contractual duties to users. The District Court disagreed and dismissed the negligence and conversion claims.

The District Court, however, allowed Iagon AS's fraud claim to proceed against Illusory Systems, Inc. That fraud claim was based on representations by an Illusory Systems, Inc. Employee to a principal of Iagon AS about the nature of the custody of tokens on the Nomad Bridge. The potential liability under this fraud claim, and the ultimate recovery possible if liability is found under that claim, will be the focuses of further litigation.

Reflections

The Singh case is in its early stages, with the disposition highlighted here being at the Motion to Dismiss stage. But the procedural and substantive issues are nonetheless worthy of consideration. The recent Crowdstrike® software update fault revealed how interruptive a failure of a seemingly routine action can be. While blockchains may offer greater security and transparency over other means of exchange, vulnerabilities can arise and can be exploited. Hackers can steal data and assets. That can disrupt business transactions or worse - result in damages.

Waiting to learn about potential remedies or defenses after a loss occurs is too late. Assuming that blockchain technology and crypto ledgers make for risk-free transactions that avoid the need to consider the impacts of mistakes or nefarious acts is short-sighted. A well-crafted user agreement identifying the terms and scope of services, risk allocation and the nature and extent of liability is just as critical as actually reading and understanding the terms of use and choosing not to do business with a party if there is not a suitable means of seeking redress in the case of an injury. Contractual provisions dealing with damages, remedies and risks of loss should be drafted with keen attention to the subject matter of the interaction, and not relegated to boilerplate terminology that is vague or uncertain when applied to the transaction that is the subject of the contract.

While it is possible that all parties in the Singh case chose to litigate in a Delaware courtroom about state-law issues controlled by Utah law, it is also possible that some parties would have preferred a different forum and/or different state law. It is also likely that, if the plaintiffs could have foreseen the potential of being seriously damaged by a hack, they may not have agreed to broad limitations of liability that foreclosed contractual remedies and left a difficult path forward pleading tort claims under Utah law.

At bottom, while blockchains and cryptocurrencies are emerging technologies used for exchanges, that does not mean that new legal principles are required to address disputes, or that the relative uniqueness of these forms of interaction allows the avoidance of traditional legal doctrines. Age-old principles of due diligence apply. Well-crafted and clear agreements provide the strongest foundation for parties to organize their affairs and to allocate risks if they desire to proceed. If things go wrong, which they invariably do, courts are unlikely to view the novelty of conduct as justification to dispense with time-tested principles.

Mannu Singh and Iagon AS, on behalf of themselves and others similarly situated, Plaintiffs, v. Illusory Systems, Inc..; Archetype Crypto II, LLC; Ethereal Ventures I Partners L.P.; ConsenSys Mesh; Connext Labs, Inc.; Coinbase, Inc.; Ozone Networks, Inc.; Polychain Alchemy, LLC; Circle Internet Financial, LLC, Defendants.