Dragonfly Capital Partner: 11 Legal Pitfalls Crypto Startups Need to Watch Out For

Author: Lindsay X. Lin, Partner at Dragonfly Capital

Original Title: “11 Tips to Avoid Crypto Startup Legal Pitfalls”

Compiled by: Hu Tao, Chain Catcher

There is a lot of noise in the market about crypto regulations: IANAL¹ sitting in an armchair commenting on the Howey test, while most real lawyers are limited to providing simplified overviews. I was previously the first lawyer at Stellar and now discuss legal and regulatory issues with many of Dragonfly's portfolio startups. I began to realize that most people are completely unaware of how to navigate crypto law and regulation from an operational perspective. Figuring out good practices is both difficult and time-consuming. Therefore, I have distilled the practical legal considerations for operating a crypto project "from zero to one."²

Special thanks to Marc Boiron for his valuable insights on this topic. Additionally, I am very grateful to Haseeb Qureshi, Zack Skelly, and Celia Wan for their careful review and feedback.

Why Law is So Important

Crypto startups often focus on technology, marketing, and community, but tend to overlook legal aspects. It is natural to build something cool and consider legality as a secondary aspect ("…but I'm decentralized!").

However, even if you think of yourself as an "anarchist"³, this is a mistake: class actions, enforcement actions, criminal investigations, consumer harm, and unexpected taxes may be lurking around the corner. If it doesn’t hit you now, it might in five years. Don’t let Kruger convince you that you’ve figured out legality just because your Twitter avatar is a PFP and you remember the four aspects of the Howey test.

The law affects products, operations, marketing, partnerships, and corporate structure. Given the rapidly evolving laws and regulations, there is no template for crypto law, and different lawyers may tell you different things based on their conservativeness and interpretation of current trends. Furthermore, your personal risk tolerance will significantly influence your approach, so you must understand your limits.

The purpose of this article is to provide some operational tips for startup founders based on years of close experience. How can cryptocurrency startups establish legitimacy to prepare themselves for the long term? What are the common pitfalls? What kind of infrastructure should they build?

This article is not intended to explain crypto law 101. The 0x Legal Wiki, curated by Jason Somensatto, while somewhat outdated, is still the best place to read about the basic legal framework surrounding crypto. Additionally, nothing in this article constitutes legal advice. It is crucial for companies to obtain targeted legal advice from reliable, experienced external advisors.

That said, here are my 11 important tips.

1. Properly Structure Your Company

Before you secure venture capital funding, you need an investable entity that has completed company registration in your chosen jurisdiction, with corporate organizational documents in place, and (if applicable) intellectual property agreements signed with employees, contractors, and affiliates.⁴

The company structure can significantly impact tax obligations, regulatory risks, regulatory obligations, and general liability. You should consider where to establish your company, what functions each entity will perform if you want to use multiple entities, who will manage the entities, and what type of corporate form you want to use for each entity. Many agreements involve multiple entities, such as potentially placing the token generation entity offshore, the software development entity in a jurisdiction with strong legal protections for software development, and an entity hosting the front-end interface or conducting business development. If the entity structure is sound and complies with corporate formalities, you should be able to isolate risks and obligations between entities.

Your decisions regarding company structure do not need to be fully resolved on day one, but you should consult and work with your external advisors to ensure your initial setup provides flexibility for future expansion.

2. Establish Internal Policies

You need to set expectations with your co-founders, employees, contractors, and key ecosystem members regarding acceptable behavior. One bad apple can tarnish the reputation of the entire project. Some policies⁵ that I recommend all companies consider:

1) Communication Policy:

As a company, maintain consistency in how you communicate what your product is, what your token does, what role your company plays in interacting with users and funding, and what your roadmap is. Given your technical limitations, you can set expectations with users about what you can and cannot provide.⁶ If your project is new, be sure to inform users that your technology is under development, carries significant risks, and may result in loss of funds. Tell your team not to promote or promise anything related to token prices (how can you really know?) or non-static partnerships.

What your team says in their Twitter, Discord, and Telegram may be used to represent the company's views unless explicitly stated otherwise. For example, see all instances of Ripple executives and employees cited in the SEC's complaint against Ripple Labs, Inc. Ensure your team (especially the marketing team) understands the boundaries of their communications.

2) (Token Projects) Trading Policy:

If your project has a token, you might consider establishing a team trading policy to prevent the team from trading based on material non-public information or front-running cryptocurrencies, as well as from executing or directing trades that could lead to market manipulation. This builds community trust and avoids allegations of market manipulation.

You might consider establishing internal policies to set lock-up schedules and sales restrictions for your team.

3) Sanctions Policy:

Violating sanctions is a strict liability offense, so conduct some basic procedural checks to ensure you avoid this (e.g., ensure you are not interacting with individuals residing in sanctioned countries, search the OFAC database to ensure you are not interacting with sanctioned wallets or individuals, and consider imposing IP restrictions on your front end if you are not interacting with sanctioned entities).

3. Understand that All Your Documents and Communications May Be Discovered—True Privacy is Rare

Avoid making bad jokes in internal communications. During a regulatory subpoena or private class action discovery process, you may be required to produce all messages you have sent and all documents related to a particular matter. This may also include recollections of phone calls and other ephemeral messages. Avoid saying things that can be taken out of context.

The exception is attorney-client privileged documents, but the scope of this category may vary by jurisdiction. If you are discussing sensitive strategies, be fully aware of that scope.

4. Ensure Content Accuracy

Make sure that your website, social media, and other external-facing information are accurate and not misleading. Your website, marketing, and public information are the primary concerns for potential plaintiffs and regulators when they consider suing you. Your users will also form their understanding of your product from your content, and if they misunderstand the product, they may be harmed.

Provide appropriate disclaimers and disclosures where necessary so that your users know what they are getting into. Do not make outrageous claims without proper warnings and definitions (9000% APY).⁷ For front-end interfaces, clearly state what the front end does and does not do. Avoid using terms from the TradFi world to describe your product without sufficiently prominent warnings explaining how the product differs. Perhaps just create a separate term for your product instead of using TradFi terminology.

It is worthwhile to have external advisors review your website and marketing materials at least once. They should browse your site and point out your blind spots.

5. Have a Terms & Conditions Page and a Privacy Policy Page

You may want your Terms & Conditions page to include disclosures about your technology, liability limitations, disclaimers of warranties/guarantees, risk disclosures and assumptions, descriptions of marketing terms (e.g., what does "free" or "APY" really mean?), eligibility criteria for users to use your front end or participate in certain benefits (e.g., airdrops), prohibited activities, and geographic restrictions. Mandatory personal arbitration is now standard and helps avoid class action lawsuits or class arbitration. If your product involves community interaction, consider a community conduct policy and content moderation policy.

Your privacy policy should include disclosures and warnings about the permanence of blockchain transactions and the fragility of anonymity. Fortunately, you can hire external advisors to help draft these policies. You can also look at examples from leading projects in your field for inspiration.

6. Understand Your Intellectual Property ("IP") Strategy

Most crypto protocols are licensed under permissive open-source licenses (e.g., Apache 2.0 or MIT licenses). These licenses are widely supported in the industry because they facilitate rapid iterative innovation, but some projects may benefit from customized approaches, such as licenses that prevent rapid follow-on forks. For example, the Uniswap 3.0 license prevents forks for two years, while MetaMask's license allows its software to be used openly unless you commercialize a fork and have more than a certain number of monthly users.

If your codebase is open to public contributions, you should ensure that contributors assign their appropriate IP rights to an entity that can provide project code under the license you choose. This is typically done through a Contributor License Agreement, which may sometimes be automatically embedded in the contribution process if you use GitHub.

Obtaining trademarks can be an effective way to combat online fraudsters. Domain registrars and social media platforms are very sensitive to trademark infringement claims. However, as with all IP, you must determine the appropriate entity to own and enforce the IP. Intellectual property is a double-edged sword: enforcement and ownership of IP can be seen as a factor against decentralization, as these processes rely on a central entity.

7. Understand the Tax Implications of Token Issuance

If your project involves tokens, ensure that your company is structured properly at the time of token issuance or sale. Once tokens are issued and fair market value is determined by the market (or when token rights are sold through a token purchase agreement or SAFT), your company's and tokens' tax valuations may change, making it impossible for you to provide employees with grants that allow them to realize significant gains. This can also lead to significant and irreversible tax consequences, depending on your local tax regime.

You can choose to provide token incentives to employees in various ways, such as unrestricted token grants, restricted token grants, token options, and restricted token units. The tax treatment and timing of these methods vary greatly, so consult a tax attorney to determine the most appropriate format for your project stage and plans.⁷

8. Do Not Succumb to the Traps of Crypto Marketing

It is tempting to have celebrities promote your product. However, paying influencers (or anyone else) to promote your project is a bad idea unless you ensure that the influencer discloses they are being compensated for such promotions.⁸

Making outlandish promises without factual basis is a bad idea—if those promises are not fulfilled, you may be investigated for fraud.

Generally, using viral marketing techniques related to tokens (e.g., refer five people to get X tokens) will be subject to more scrutiny from regulators and may not be suitable for your project.

Do not promise token price fluctuations or even token quantities. In general, do not promise things you cannot control.

9. Ensure You Have Experienced External Legal Counsel

Good cryptocurrency lawyers are invaluable, possibly literally.

Hire advisors with prior crypto experience. While I am open to new crypto lawyers, working with lawyers who have never consulted on crypto-related products, regulatory advice, or financing transactions can be both risky and time-consuming. It is best to hire someone who already knows how to identify and navigate pitfalls.

Different lawyers will have different opinions. I have seen senior advisors disagree on where a startup should incorporate, front-end obligations, whether tokens are securities, and other key issues. Some are conservative; others almost never say no. If a piece of advice seems unreasonable to you, it may be worth getting a second opinion, but do not "seek opinions" to get a "yes," or you may undermine the very purpose of consulting a lawyer. Ask other founders and your VC to help you find a high-quality, experienced lawyer.

10. Imitation is Risky

It is tempting to try to "copy and paste" strategies from other seemingly successful protocols. However, you still need to do your own research. Simply observing a project's public presence will not give you a comprehensive understanding of what structures other protocols have built internally to protect themselves. Depending on various characteristics of their teams or products, they may also be subject to different legal regimes, risk exposures, and risk tolerances.

It is also worth remembering that enforcement actions lag significantly behind "effectiveness" metrics. Enforcement actions may not be publicly announced until years later. Just because the SEC does not immediately sue a company for launching a product does not mean it is an implicit approval.

11. Do Not Forget Decentralization

This may sound obvious, but it is worth repeating: if decentralization is an integral part of your legal and regulatory posture, do not forget decentralization. Develop a roadmap that outlines how you want your organization to release responsibilities to the community and ensure accountability. For many projects, especially those in DeFi, your company's goal in 5-10 years may be to cease to exist. Many projects become complacent about their decentralization plans or yearn for metrics that signify success for traditional startups ("over 1000 employees!"), which really do not make sense for crypto projects.

Conclusion

A great legal strategy is just one component of a startup's success, but it is essential. If you are knowledgeable and strategic from the start, you can actually avoid many pitfalls with relative ease.

As your project gains attention⁹, you should strongly consider hiring in-house counsel. In-house lawyers will have a deep understanding of your product, operations, marketing, and business, and will be able to provide better risk-adjusted advice for your project.

Good luck!

Footnotes:

[1] The popular abbreviation for "I am not a lawyer," applicable to those not well-versed in legal language.

[2] I am a lawyer, but not your lawyer. Nothing in this article constitutes or should be construed as legal advice. My advice may be incorrect or unsuitable for your project. Please hire external advisors.

[3] Being an "anarchist" may help protect oneself from unnecessary public attention in the short term, but most people are neither paranoid nor skilled enough to maintain anonymity consistently in the long term.

[4] Unless you are a DAO, in which case you may still be asked about your company structure, as some may not participate without affiliated entities.

[5] I refer to "companies," but these suggestions can also apply to "teams."

[6] For example, if you are a non-custodial wallet, clearly state on your website that you do not manage private keys and cannot provide recovery services. This is crucial for helping users understand their relationship with your company.

[7] For example, if you specify that your protocol can provide someone with XXX% returns, you should clearly state the conditions under which this occurs.

[8] This is a serious matter; see https://www.sec.gov/news/press-release/2020-246.

[9] This milestone may look different for different projects, but generally, after a Series A or around a $50 million post-money valuation, it is a good time to start looking seriously. If law is an inseparable part of your product or strategy, it makes sense to look earlier.