Since 2020, the market for non-fungible tokens (NFTs) has grown rapidly. NFTs are units of data stored in a distributed ledger that represent unique collectibles, artwork or other property and can be sold and traded. (For a useful introduction to cryptographic tokens, including NFTs, see Shermin Voshmgir’s Token Economy.)
In the early months of 2021, interest in NFTs increased after several high-profile sales and art auctions. Likewise, smart contracts — which can, among other uses, create and manage NFTs — have similarly risen in popularity because they function to automate the execution of an agreement. States such as Arizona, Nevada, Tennessee and Wyoming have passed legislation on the use of smart contracts. In 2020, Iowa passed a bill legally recognizing smart contracts in the state.
On Feb. 18, 2022, McKimmy v. OpenSea (Civil Action No. 4:22-CV-00545) was filed in the Southern District of Texas against a leading NFT marketplace. Timothy McKimmy claims his Bored Ape Yacht Club NFT was stolen on or about Feb. 7, 2022, due to a security vulnerability on OpenSea that enabled “an outside party to illegally enter through OpenSea’s code and access [McKimmy’s] NFT wallet.”
In his lawsuit, McKimmy alleges that OpenSea was aware of the security vulnerabilities in its platform. In January 2022, OpenSea reimbursed users after a loophole with inactive listings allowed opportunists to buy NFTs at a considerable discount. The user interface loophole affected users who had transferred their previously listed NFTs to other wallets without canceling old listings (“Open Sea reimburses users $2.8 million after bug led them to accidentally sell their NFTs at deep discounts,” Fortune). The opportunists exploited the ability to buy those NFTs at a cheaper, earlier listed price and then resell them at the much higher current market rate. OpenSea advised users to cancel old listings, which put their NFTs at risk again, according to some sources (“OpenSea’s Advice to Cancel Old Listings Put Holders at Risk…Again,” NFT Evening).
Then, on Feb. 19, 2022, OpenSea suffered a phishing attack. In a period of three hours, 254 tokens were stolen and 17 users of OpenSea were affected (“$1.7 million in NFTs stolen in apparent phishing attack on OpenSea users,” The Verge). The estimated value of the stolen tokens is more than $2 million (“Seventeen OpenSea users have their NFTs stolen and flipped for a total of $2.9 million by a phishing scammer,” Web3 is Going Just Great). The attack has been explained as the targets signing a partial contract with a general authorization and large portions left blank, which the attackers then filled in to take the target’s holdings. OpenSea was in the process of updating its contract system when the attack occurred.
McKimmy alleges that his Bored Ape #3475 NFT was stolen, listed and sold to another individual on OpenSea on or about Feb. 7, 2022. McKimmy alleges that OpenSea’s vulnerabilities “allowed others to enter through its code and force the listing of an NFT.” He attempted to resolve the issue with OpenSea but alleges that OpenSea “ignored” him. OpenSea is apparently investigating the issue but has not reversed the transaction. (Note that immutability may come up as a defense in this case. The case could put into focus that NFTs used on the Ethereum block chain are immutable, so the remedy sought may not be possible.) McKimmy also attempted to resolve the issue with the individual who currently possesses Bored Ap #3475, but the individual “refused to return it.”
The complaint includes causes of action for negligence and breach of fiduciary duty, trust, contract and implied contract. McKimmy alleges that OpenSea owed a duty of reasonable care to him as a user and failed to take proper measures to protect users. McKimmy further alleges that OpenSea failed to implement procedures to “prevent, identify, detect, respond to, mitigate, contain, and/or correct security violations.” McKimmy alleges that, in addition to failing to protect against reasonably anticipated threats, OpenSea entered into contracts and/or implied contracts and failed to protect digital wallets connected to its platform.
This case will highlight the issue of contracts and smart contracts in the emerging digital world. The elements of a contract, express or implied, are identical. These elements are mutual assent, expressed by a valid offer and acceptance, adequate consideration, capacity and legality. In the analog world, contract language is bound by the four corners of the contract, and so long as contracts “are clear and unambiguous, parole or extrinsic evidence antecedent or contemporaneous to the contract is inadmissible to vary, contradict, or add terms to the contract.” See Sterling, Winchester & Long, LLC v. United States, 83 Fed. Cl. 179, 184 (Fed. Cl. 2008).
There has been practically no analysis on smart contracts under settled legal principles at this time. As mentioned above, some states have passed legislation about smart contracts, but the majority have not yet tackled this question. If this case proceeds without settlement, it will provide context for how courts will analyze blockchain, NFTs and smart contracts under current analog laws. This court will broach the subject of the enforceability of smart contracts and who can enforce them.
Typically, contract disputes arise between a limited number of parties, but these smart contract disputes could extend from users like McKimmy suing the NFT marketplace, to hackers, to persons who purchased wrongfully obtained NFTS, and beyond. Courts will have to determine whether the Uniform Commercial Code shelter rule is applicable in such transfers as well. Under UCC Section 3-203(b), the shelter rule protects a grantee of an instrument who received the instrument from a bona fide purchaser. The grantee is “sheltered” from other claims by the grantor’s status as a bona fide purchaser. In these cases, if an NFT is purchased through an inactive listing bug and then resold and resold again, the court should answer whether the transfers can be upheld.
The rise of digital assets (including NFTs and cryptocurrency) and smart contracts will beget litigation of settled law and its application to these new instruments. Expect litigation to ensue in the areas of deceptive trade practices, breach of contract, breach of fiduciary duty, fraud and negligence, among other areas. McGuireWoods’ specialized litigation teams remain ready to defend clients against any claims that may arise.