In the case of Risley v. Uniswap Judge Failla dismissed the final state law claims against Uniswap Labs and Hayden Adams with prejudice on March 2, 2026, ending the Risley litigation for good. After losing on federal securities claims at both the district and circuit court levels, the plaintiffs came back with aiding-and-abetting fraud, consumer protection, and unjust enrichment theories. The court rejected all of them, finding that providing a neutral, non-custodial marketplace — even one where scam tokens proliferate — does not constitute “substantial assistance” to fraud. The reasoning tracks the Supreme Court’s framework in Twitter v. Taamneh: offering generally available infrastructure that bad actors happen to use is not the same as consciously participating in their wrongdoing. For builders in DeFi, this is a significant and clarifying win — but not a blank check. The distinction between platform and participant now has real teeth, and the court was careful to note what could change the calculus.
Three Strikes — All Looking
To appreciate what happened on March 2, you need to understand how we got here. This case has been a marathon, and the procedural history tells you a lot about both the strength of the defendants’ position and the tenacity — some might say stubbornness — of the plaintiffs’ bar.
The original complaint was filed on April 4, 2022, by Nessa Risley and five other plaintiffs who’d lost money on various “scam tokens” — 38 of them, including crowd favorites like EthereumMax (EMAX) and Bezoge Earth (BEZOGE) — that had been traded on the Uniswap Protocol. The theory was bold: because Uniswap Labs developed the protocol and its venture capital backers — Paradigm, Andreessen Horowitz, Union Square Ventures — funded it, they should all be liable for the rug pulls and pump-and-dumps that anonymous token issuers perpetrated using the platform. The plaintiffs threw the kitchen sink at it: Section 12(a)(1) of the Securities Act, Section 29(b) of the Exchange Act, control person liability, and a handful of state law claims.
On August 29, 2023, Judge Failla granted all motions to dismiss. The federal claims went away with prejudice — meaning, permanently — and the state claims were dismissed without prejudice because the court declined to exercise supplemental jurisdiction over them. The opinion was remarkable for its clarity. Judge Failla called it a “case of first impression” and then proceeded to write what became arguably the most-cited line in DeFi jurisprudence: “it defies logic that a drafter of a smart contract, a computer code, could be held liable under the Exchange Act for a third-party user’s misuse of the platform.” She compared suing Uniswap to suing Venmo for a drug deal or holding the NASDAQ liable for a fraudulent stock. She acknowledged the plaintiffs had suffered real losses but said the remedy — if one existed — lay with Congress, not the courts.
The plaintiffs appealed. On February 26, 2025, the Second Circuit issued a summary order affirming the dismissal of all federal claims. The panel — Judges Raggi, Wesley, and Kahn — agreed with Judge Failla on every material point. Smart contracts were “collateral to the third parties’ scam token activities.” Defendants never held title to the tokens. Adams’ social media posts promoting the protocol were “too attenuated” from the purchase of specific scam tokens to constitute solicitation. The panel explicitly adopted the “defies logic” language. But it vacated the state law claims and sent them back, finding that the district court should have kept them because plaintiffs had properly invoked diversity jurisdiction under CAFA — the Class Action Fairness Act.
That is where the fun(?) begins.
The Second Amended Complaint: Same Theory, Different Label
Back on remand, the plaintiffs regrouped. They dropped the VC defendants and the Uniswap Foundation, narrowing their claims to Uniswap Labs and Hayden Adams only. On May 14, 2025, they filed a Second Amended Complaint — their third attempt — asserting purely state law theories: aiding and abetting fraud, aiding and abetting negligent misrepresentation, unjust enrichment, and violations of consumer protection statutes in New York, North Carolina, and Idaho.
The core factual allegations were familiar. Plaintiffs alleged that roughly 98% of tokens traded through the Uniswap interface were scams. They pointed to the absence of KYC requirements, the lack of barriers to token listing, and the fee revenue generated by every trade — including trades in fraudulent tokens. In other words: you built the casino, you knew it was full of cheaters, you profited from every hand dealt, and you did nothing to stop it. You aided and abetted the fraud.
In plain terms, the plaintiffs were trying to repackage their securities law theory — which had failed twice — as a tort claim. Instead of arguing that Uniswap was a statutory “seller” of unregistered securities, they argued Uniswap was an “aider and abettor” of common law fraud. The underlying theory hadn’t changed: the platform is the problem.
Judge Failla saw through it.
“Despite Three Chances to Get It Right”: The March 2, 2026 Decision
Judge Failla’s March 2, 2026 opinion is crisp and, at times, pointed. She opens by noting — and I’m paraphrasing only slightly — that the plaintiffs have now had three bites at the apple and still can’t state a viable claim. The exact quote is worth reading: “Despite three chances to get it right, Plaintiffs remain unable to allege plausible claims.” She then notes that “though the claims have changed, the result is the same: Plaintiffs cannot hold Defendants liable for the misconduct of the unidentified third-party issuers.”
Let’s break down each claim.
- Aiding and abetting fraud. Under New York law — which governed most of the analysis — an aiding-and-abetting fraud claim requires: (1) the existence of an underlying fraud, (2) the defendant’s actual knowledge of the fraud, and (3) substantial assistance by the defendant in the commission of the fraud. The court found that the plaintiffs failed on both the knowledge and substantial-assistance prongs.
On knowledge, the plaintiffs pointed to user complaints filed after losses occurred, general social media chatter about scam tokens, and a March 2022 academic study suggesting high rates of fraudulent token launches on decentralized exchanges. The court found none of this sufficient to establish that Uniswap had actual, contemporaneous knowledge of the specific fraudulent transactions at issue. Knowing that scam tokens exist in the abstract is not the same as knowing that this particular token, right now, is being used to defraud these particular people. That distinction matters enormously — and it’s one the Supreme Court drove home in a different but conceptually related context.
On substantial assistance, the court’s reasoning is where the opinion breaks genuinely new ground for DeFi. Judge Failla held that merely providing a platform — “ordinary services that anyone could use for lawful purposes” — does not constitute substantial assistance to fraud, even if bad actors happen to use those services. Creating access to a marketplace where fraud occurs is not the same as participating in fraud. The analogy to traditional financial exchanges is explicit: the New York Stock Exchange is not liable for every fraudulent security traded on its platform, and Uniswap is not liable for every scam token that passed through its protocol.
- Consumer protection claims. The court dismissed claims under New York General Business Law § 349 and equivalent statutes in North Carolina and Idaho. The plaintiffs alleged that Uniswap made materially misleading statements about the safety of its platform. The court disagreed — noting that Uniswap’s public blog posts and terms of service explicitly warned users about the risks of scam tokens. And the alleged omissions — failure to disclose fraud rates or implement screening — were not information “uniquely held” by Uniswap and unavailable to users. In short, the information asymmetry required for a consumer protection claim simply wasn’t there.
- Unjust enrichment. This one is almost elegant in its simplicity. The plaintiffs argued Uniswap was unjustly enriched by fees earned on trades involving scam tokens. The problem? The protocol’s “fee switch” — the mechanism by which Uniswap Labs could direct a portion of trading fees to itself — was never activated during the relevant class period (April 2021 to April 2022). An interface fee wasn’t implemented until October 2023, well outside the window. You can’t be unjustly enriched by revenue you never collected.
The court acknowledged — as Judge Failla has throughout this litigation — that the plaintiffs suffered real harm. “A plainly felt injury,” she called it. But the law does not provide a remedy against the protocol’s developers for losses caused by anonymous third-party scammers. That’s a policy question. And policy questions belong with Congress.
The Taamneh Connection: Why This Is Really a Platform Liability Case
Here’s where this final chapter gets interesting beyond the crypto-specific context. The legal reasoning in the March 2, 2026 opinion — particularly on the “substantial assistance” question — maps directly onto the framework the Supreme Court established in Twitter, Inc. v. Taamneh, 598 U.S. 471 (2023). And understanding that connection is key to understanding why this ruling matters well beyond DeFi.
In Taamneh, the family of a victim killed in an ISIS terrorist attack at an Istanbul nightclub sued Twitter, Facebook, and Google, alleging the platforms aided and abetted the attack by providing services that ISIS used for recruitment and communication. The Supreme Court unanimously rejected the claim. Justice Thomas, writing for the Court, drew a sharp line between providing generally available services and consciously participating in wrongdoing.
The core holding: “Defendants’ mere creation of their media platforms is no more culpable than the creation of email, cell phones, or the internet generally.” The fact that ISIS used social media to advance its agenda did not make the platforms aiders and abettors of specific terrorist attacks. Their recommendation algorithms were “agnostic as to the nature of the content” — neutral infrastructure, not targeted assistance. And general awareness that bad actors used the platforms was insufficient to establish the “knowing” and “substantial” assistance required for aiding-and-abetting liability.
Justice Thomas was particularly clear on the limiting principle: if platforms could be held liable simply for knowing that wrongdoers used their services and failing to stop them, it “would run roughshod over the typical limits on tort liability and unmoor aiding and abetting from culpability.” Ordinary merchants cannot become liable for any misuse of their goods and services, no matter how attenuated their relationship with the wrongdoer. That would make every cell phone carrier an aider and abettor of every drug deal brokered over a phone call.
Now read Taamneh alongside the Risley March 2026 dismissal, and the parallel is unmistakable:
The Uniswap Protocol is generally available, permissionless infrastructure. Anyone can use it — and most uses are lawful. Its smart contracts are agnostic as to the nature of the tokens being traded, just as Twitter’s algorithms were agnostic as to the nature of the content being shared. Uniswap Labs’ general awareness that scam tokens existed on the protocol is no different from Twitter’s general awareness that ISIS used its platform. And providing automated, non-custodial trading infrastructure — “ordinary services that anyone could use for lawful purposes” — is not “substantial assistance” to the specific frauds committed by unknown third parties.
In both cases, the courts reached the same conclusion: a platform is not a participant. Building the road does not make you the getaway driver.
The Taamneh framework is especially important for DeFi because it addresses the most common emotional argument against protocol developers: you knew bad things were happening, and you did nothing. The Supreme Court’s answer to that argument is clear. Knowing that bad things happen on your platform — even having statistical evidence that a high percentage of activity may be illicit — is not the same as knowingly assisting specific wrongful acts. Liability requires a meaningful nexus between the defendant’s conduct and the particular harm. General awareness plus passive inaction does not clear that bar.
This is not a technicality. It’s a foundational principle of tort law that predates the internet, let alone blockchain. And its application to DeFi infrastructure providers should not surprise anyone who’s been paying attention to the trajectory of platform liability law more broadly.
What the Court Didn’t Say — and Why That Matters Too
I would not be a responsible killjoy if I didn’t flag what this ruling does not do.
First, this is a case about the current Uniswap architecture — a permissionless, non-custodial, open-source protocol where developers do not control token listings, do not intermediate between buyers and sellers, do not hold user assets, and did not collect direct fee revenue during the relevant period. The court’s reasoning is tightly tied to those facts. Change the facts, and you could change the outcome.
Second, the Lido DAO decision — Samuels v. Lido DAO (N.D. Cal., November 2024) — shows where the line might shift. Judge Chhabria held that Lido DAO could be treated as a general partnership under California law, and that institutional VC investors who participated actively in governance could face unlimited personal liability. That case turns on a fundamentally different factual predicate: DAOs where named, identifiable entities exercise meaningful control over protocol operations look a lot more like participants than platforms. The Uniswap Protocol’s architecture — where smart contracts are autonomous, non-upgradable, and operate without human intermediation — is specifically what saved the defendants here. Not every DeFi project shares those characteristics.
Third, criminal liability is a separate universe. The conviction of Tornado Cash developer Roman Storm in August 2025 for conspiracy to operate an unlicensed money transmitting business — even as the Fifth Circuit simultaneously held that Tornado Cash’s immutable smart contracts couldn’t be sanctioned as “property” — demonstrates that code developers can face criminal prosecution even where civil liability theories fail. The DOJ’s April 2025 memo on “Ending Regulation by Prosecution” instructed prosecutors not to charge regulatory violations in digital asset cases, but the Storm prosecution continued regardless. Civil and criminal law operate on different standards, different burdens, and — frankly — different political dynamics.
Fourth, Judge Failla’s repeated invocations of Congressional authority are worth taking seriously. When a judge says three times across four years of litigation that regulatory questions about DeFi belong with Congress, she’s not being decorative. She’s signaling that the gap between what the law currently provides and what policy might demand is real — and that courts won’t fill it. The market structure legislation currently working its way through Congress — particularly the CLARITY Act’s Section 109, which explicitly protects “non-controlling blockchain developers” from registration requirements — would codify something close to the Risley holding. But it hasn’t passed the Senate yet. Until it does, the holding rests on judicial reasoning, not statutory text.
Finally, the question of where decentralization ends and centralization begins remains largely unresolved. Points of centralization within otherwise decentralized systems — a company-controlled front-end interface, governance concentrated among a handful of token holders, admin keys that allow code upgrades, fee switches that direct revenue — are all factors that future courts may examine. The Risley court didn’t have to grapple with most of these because the facts were favorable to the defense. Future cases won’t always be so clean.
The Bigger Picture: Why “Platform ≠ Participant” Is the Right Framework
So why do I say the court got it right?
Not because I think DeFi protocols should be immune from all regulation. They shouldn’t — and the market structure legislation currently moving through Congress will eventually establish a more nuanced framework that accounts for the spectrum between full centralization and full decentralization. Not because I think rug pulls and scam tokens are acceptable. They’re not — and the victims in Risley suffered real financial harm from real misconduct by real people who happen to be unidentifiable.
The court got it right because the alternative — holding infrastructure providers liable for the actions of every anonymous user — would be catastrophic for open-source software development, for permissionless financial innovation, and for the basic architecture of the internet itself. The principle at stake in Risley is not unique to crypto. It’s the same principle that prevents you from suing AT&T because a scammer called you on the phone, or suing the United States Postal Service because someone mailed you a fraudulent solicitation, or suing SMTP protocol developers because spam exists.
The distinction between providing a tool and wielding it — between building infrastructure and committing misconduct — is foundational. Taamneh recognized this at the Supreme Court level for social media platforms. Risley applies it to DeFi protocol developers. The logic is consistent across both contexts because the underlying principle is the same: liability requires culpable participation in the specific wrongful act, not merely the creation of an environment where wrongful acts can occur.
This doesn’t mean platforms get a free pass. It means plaintiffs have to identify the right defendants — the people who actually committed the fraud — and pursue claims against them. The anonymity problem in DeFi is real, and can be frustrating, but the solution to that problem is not to hold identifiable infrastructure providers vicariously liable for the misconduct of unidentifiable bad actors simply because they’re the only people in the courtroom with deep pockets. That’s not how tort law works, and Risley correctly refuses to bend the law to accommodate that impulse.
What Builders Should Take Away
From a practical standpoint, here’s what the Risley trilogy — the 2023 dismissal, the 2025 summary order, and the 2026 final dismissal — means for people building in this space:
- Architecture matters more than ever. The court’s reasoning is deeply fact-specific, and the facts that mattered most were structural: non-custodial design, permissionless access, autonomous smart contract execution, no intermediation between buyers and sellers, no control over token listings, and — critically — no direct fee revenue during the class period. If your protocol shares these characteristics, you’re in a strong position. If it doesn’t — if you maintain admin keys, exercise governance control, curate token listings, or directly profit from specific transactions — the Risley framework may not protect you.
- The “fee switch” is a real issue. One of the most underappreciated aspects of the unjust enrichment dismissal is its reliance on the fact that Uniswap Labs wasn’t collecting fees during the relevant period. That’s a narrow factual finding, not a broad legal principle. Protocols that do collect fees from transactions — including transactions in potentially fraudulent tokens — face a more complicated analysis. Revenue models matter.
- Consumer disclosures are your friend. The dismissal of the consumer protection claims hinged in part on the fact that Uniswap’s terms of service and public communications explicitly warned users about scam token risks. In other words: transparent risk disclosure works. If your protocol or interface doesn’t include clear, prominent warnings about the risks of interacting with unvetted tokens or counterparties, you’re leaving yourself unnecessarily exposed.
- Legal entity structure is no longer optional. The Lido DAO decision made this painfully clear: if your DAO doesn’t have a legal wrapper, courts may treat it as a general partnership, exposing individual participants — including institutional investors — to unlimited liability. The Uniswap DAO’s September 2025 vote to establish a Wyoming DUNA was a direct response to this risk. Every serious project should be having this conversation now if they haven’t already.
- Watch the legislation. The CLARITY Act’s developer protections — if enacted — would provide statutory footing for the principles established in Risley. But those protections are still being negotiated in the Senate, and legacy financial industry lobbying against DeFi-specific carve-outs is intense. The legislative window before midterm elections consume Congressional attention is March through August 2026. What happens in that window could determine whether the Risley framework is codified in statute or remains dependent on case-by-case judicial reasoning.
Closing Thoughts
Four years. Three complaints. Two courts. One answer.
The Risley litigation asked whether the developers of a decentralized exchange protocol could be held liable — under federal securities law, then under state common law — for the misconduct of anonymous third parties who used their code to defraud people. The answer, at every stage and under every legal theory, has been no. Not because the law doesn’t care about fraud victims — it does — but because the law requires that liability attach to culpable participation in the wrong, not mere proximity to it.
That’s the right answer. And it’s an answer that extends well beyond crypto, because the question it addresses — when does providing infrastructure become participating in misconduct? — is one that every technology platform, open-source project, and communications network will eventually face. The Taamneh Court understood this at the Supreme Court level. Judge Failla understood it in the DeFi context. And now, after four years of litigation, the principle is established with clarity and force: building the tool is not the same as using it.
The road ahead for DeFi regulation is still long and uncertain. Legislation is pending. The line between sufficient and insufficient decentralization remains contested. Criminal liability risks haven’t disappeared. But for the specific question that Risley posed — can you sue the protocol developer for the scammer’s fraud? — the answer is clear.
No. You can’t. And that’s how it should be.
Written by David Lopez Kurtz