Tulips are red, violets are blue: do software developers have fiduciary duties too?
Claims concerning the misappropriation of crypto assets have become an increasingly regular feature of the disputes landscape in the English courts. The recent Court of Appeal decision in Tulip Trading Limited v Bitcoin Association for BSV and others adds to the body of case law on crypto fraud and, notably, represents the first time that the court has had to tackle the question of whether software developers owe fiduciary duties to bitcoin owners using their software.
Tulip’s claim and its lost billions
Tulip claimed that it lost access to bitcoin worth billions after its CEO’s computer was hacked and the private keys needed to access the bitcoin were stolen and deleted.
Tulip brought a claim against 16 software developers of four cryptocurrency networks (the Developers). In that claim, Tulip sought the following relief and made the following allegations.
- For a declaration that Tulip owns the bitcoin.
- Alleging that the Developers owe fiduciary or tortious duties (or both) to bitcoin owners on their networks, requiring them to take steps to ensure Tulip has access to and control of its bitcoin (or at least that the Developers are obliged to take all reasonable steps to ensure that it does and ensure they do not give effect to the fraud). This includes a duty to issue software patches to allow Tulip to regain control of its bitcoin.
- For equitable compensation or damages for breach of those duties.
None of the Developers were in England and Wales. Tulip therefore sought and was granted permission to serve out of the jurisdiction. Twelve of the Developers applied to set that order aside and challenged the court’s jurisdiction. This was on the basis that, amongst other things, the Developers:
- Denied that they owe duties of the nature claimed by Tulip.
- Argued that Tulip’s claim went against the decentralised nature of bitcoin which operates through an unfixed changing group of developers.
The legal test for the court to determine was essentially whether there was a serious issue to be tried (of fact or law or both) such that there was a “real” as opposed to “fanciful” prospect of success.
At first instance, the High Court granted the Developers’ application challenging the court’s jurisdiction. It found that Tulip had no realistic prospect of establishing a fiduciary duty of the kind alleged so there was no serious issues to be tried. Tulip appealed.
The Court of Appeal reversed the decision and upheld Tulip’s appeal, finding that the case did raise a serious issue to be tried. That issue was whether the Developers owe fiduciary duties to bitcoin owners using their software.
The Court of Appeal explained that Tulip had, at least, an arguable case that software developers are fiduciaries because:
- The developers of a given network were a sufficiently well-defined group to be capable of being subject to fiduciary duties.
- They had undertaken a role which involved making discretionary decisions and exercising power for and on behalf of other people, in relation to property owned by those other people and entrusted into their care.
- The essence of their duty was single-minded loyalty to the users of bitcoin software, including not acting in their own self-interest and acting in positive ways in certain circumstances. It might also, realistically, have included a duty to act to introduce code so that an owner’s bitcoin could be transferred to safety in the circumstances alleged by Tulip.
What does the decision mean for cases involving crypto fraud?
Given that this was only a challenge on jurisdiction, the issue of whether software developers owe fiduciary duties has not been finally determined. But the decision allows Tulip’s case to proceed to trial so this issue might be subject to a full trial and binding precedent created.
If Tulip is right, this would change the law on whether software developers of such networks (and potentially, by implication, certain other software developers generally) owe their customers fiduciary or tortious duties, and the extent of those duties. That might also include a specific duty to issue software patches. All of which would involve a significant development in the common law on fiduciary duties, which the Court of Appeal recognised.
If developers do owe duties to users on their networks such that they are obliged to help them regain access when crypto assets are stolen, that has, potentially, very significant implications for developers involved in cryptocurrency networks. They would have to help customers recover their assets (potentially through creating software patches) which could be costly, time-consuming and complicated. In time, that could lead to increased claims against crypto asset networks from victims of crypto fraud who may see those networks easier targets to pursue than the fraudsters.
For crypto asset networks, this case follows other decisions which have assisted victims of crypto fraud. It also opens the door for a judicial decision on whether digital currency networks are in fact decentralized (which is seen as one of the core principles of these networks).
For users of crypto asset networks and victims of crypto fraud, it could invite changes in the claims they bring and the targets of those claims, make it easier to recover stolen assets, and put some of that burden on the networks they use.
It remains to be seen whether this case will make it all the way to trial, but, if it does, all those who make use of cryptocurrency networks or maintain and develop them would do well to keep an eye on the court’s final decision and the outcome of any appeals.
This article first appeared on the Practical Law website on 30 March 2023 and is reproduced with the kind permission of the publishers.