In-depth analysis of the details and purposes behind the Compound governance attack: whales reclaiming control over established DeFi

Written by: @Web3Mario

Abstract: With the conclusion of the Bitcoin conference last weekend, details related to the event continue to emerge, basically not differing much from my previous judgment, such as Trump's strategy to appeal to Bitcoin enthusiasts through energy policies, and the rendering of some changes in official attitudes, specifically referring to the so-called strategic reserve rhetoric, emphasizing its value as a commodity. What I didn't expect was that his speech turned into a typical "Trump-style" campaign rally, where he liked to use illogical viewpoints and information to attack opponents, which inevitably raises doubts about the authenticity of some promises he made. However, this matter seems to have settled down, so I focused on some other events and came across an interesting piece of information: Compound faced a governance attack. Having spent a long time in DeFi, I was very interested in this information, so I delved into the background of this incident and broke down the implementation details to share with everyone. Overall, the governance attack on Compound involved a DeFi whale attempting to forcibly seize governance rights over idle Comp tokens in the Compound Treasury through governance voting, allowing it to fully control the Compound protocol.

The Legendary Whale Humpy, Who Successfully Seized Balancer, Strikes Again

This is not the first masterpiece of this legendary whale. Previously, during the DeFi Summer of 2022, this whale executed a governance attack on Balancer by controlling a large amount of BAL governance tokens and leveraging Balancer's veBAL mechanism to dominate the release of most BAL incentives to liquidity pools, thereby establishing control over Balancer. As of now, Humpy has become the second-largest holder of BAL tokens, second only to the official team.

Regarding this classic event, Messari has a very insightful research report that interested friends can read in detail. I wonder how many friends are familiar with Balancer's veBAL mechanism. Let me briefly review it here. At that time, during the DeFi Summer, various products were innovating around how to achieve growth through well-designed tokenomics. Curve, as a core DEX for stablecoins, was the first to launch the veCRV mechanism as its tokenomics, achieving significant results. Thus, veTokens became a popular design paradigm for DEX product tokenomics.

One of the star projects of the same type, Balancer, encountered an innovation bottleneck at that time and chose to follow suit by launching its own veBAL mechanism. The essence of this mechanism is to adjust the allocation of a competitive resource within the product through governance voting, thereby broadly creating bribery scenarios that bring benefits to governance participants, stimulating community enthusiasm for co-building the product, and finding suitable value support for governance tokens, which was commonly described in the market as "governance extracting value."

In the DEX space, this competitive resource specifically refers to the liquidity incentive rewards allocated to the governance tokens for the liquidity pools operated by the official team. The proportion of rewards allocated to different liquidity pools is determined by governance voting. To gain voting rights, one must lock their governance tokens for a long period, which reduces the circulating supply in the market and is beneficial for market cap growth. The liquidity pool that receives more votes will be allocated more BAL incentives, guiding third-party projects to use their tokens to bribe users with veBAL voting rights to stimulate their token's liquidity growth. Of course, this process is generally implemented through dedicated DAPPs. However, there was a hidden danger in Balancer's veBAL design that Humpy discovered and exploited.

We know that for DEXs, their core business model is transaction fees. To attract more traders to use their products, DEXs strive to increase their liquidity by providing a low-slippage trading experience to attract users. Therefore, the design of veBAL cannot deviate from this core goal, which is to increase transaction fees. However, in its initial design, there were no restrictions on the types of liquidity pools, relying solely on the total votes obtained by the pools. This led to a problem: as long as a pool could obtain enough veBAL votes through some means, it could receive a large proportion of BAL liquidity incentive allocations, even if that pool had no trading volume. This created an opportunity for whales, and Humpy seized it.

Humpy's core attack strategy consists of two parts. First, it needs to gain absolute control over the liquidity of a certain pool, allowing it to earn most of the rewards during liquidity mining. Second, it needs to obtain a massive amount of votes for the pool it controls to dominate the allocation of BAL incentives. This way, it can achieve control over the protocol. Therefore, it first chose tokens from projects that were inactive in trading but had inflated market caps to reduce potential competitors. Second, it established a liquidity pool with extremely high fees (1%), reducing users' willingness to trade, thereby lowering the participation willingness of potential LPs attracted by fees. Through these means, it achieved absolute control over a certain liquidity pool. Next, it purchased a large amount of BAL tokens on the secondary market, staked them to obtain veBAL, and voted for its liquidity pool to gain most of the BAL allocation. However, this incentive release did not improve Balancer; it simply benefited Humpy. This is the so-called divergence between the interests of whales and the long-term development direction of the project, leading only to contradictions.

In actual execution, Balancer's official team did not sit idly by but countered Humpy's vampire attack through new proposals. For example, they specified the range of pools eligible for liquidity incentives, and expanding that range required official application and approval. They also set limits on the proportion of rewards that could be allocated to a single pool. However, after a series of confrontations, Balancer and Humpy reached a reconciliation. Yet, from the outcome, it was clear that they could not prevent Humpy from gradually achieving control over Balancer, as evidenced by the fact that Humpy became the second-largest holder. This also laid the groundwork for its recent attack on Compound.

Seizing Governance Rights Over a Large Amount of Idle COMP in Compound Treasury to Take Over Compound

The aforementioned event occurred in 2022. After two years of silence, Humpy initiated a takeover of another established DeFi project. This is the recent event. This time, it was not related to veBAL but targeted the governance rights corresponding to a large amount of idle COMP in the Compound Treasury.

This time, it did not directly participate in the entire game but instead packaged a project called Golden Boys (which can also be called an organization) to operate. This project is essentially a meme with financial attributes. What does that mean? Its core product is an ERC-20 token called $GOLD. However, the official team has assigned some expectations to its holders beyond cultural attributes. The entire website and blog emphasize one point: the value of $GOLD is maintained by the whale Humpy, leveraging years of experience and substantial financial and resource advantages. Holding $GOLD is akin to riding on the back of the whale. However, in reality, it does not have any structured financial products or yield aggregation designs; it merely allocates some liquidity incentives to $GOLD and some mainstream tokens, some of which are directly newly minted $GOLD, and a portion is BAL rewards. This is naturally due to Humpy's influence over Balancer, as it allocates relatively high liquidity mining rewards through its massive veBAL holdings (it's quite lamentable to study how difficult it is to be taken over).

After preparing all this, it created a new Vault product called goldCOMP Vault. Simply put, users can stake their COMP in this Vault to transfer their governance rights to Golden Boys and receive a staking certificate called goldCOMP. This is a transferable certificate, and users can use this certificate to provide liquidity in the Balancer's 99goldCOMP-1WETH liquidity pool, where 99 and 1 correspond to the weights, essentially representing that goldCOMP has very low trading slippage and virtually no impermanent loss.

After staking liquidity, users can earn liquidity incentives in $GOLD. Note that the rewards here are not BAL but GOLD, which is naturally more beneficial for the Golden Boys to control the interest rates of the pool since they control it. Currently, the interest rate level is 180%, although the TVL is still low. However, I am not sure when Balancer started supporting third-party tokens directly as staking incentives displayed on the official website. I haven't followed the project's progress for a while. If this is not an operation that can be publicly set by the official team, I can only lament the helplessness of being taken over again!

After preparing all these, Golden Boys began their governance attack on Compound. They first initiated a proposal in May of this year, which aimed to transfer 5% of the COMP controlled by Compound Treasury, amounting to 92,000 COMP, to the multi-signature wallet of Golden Boys, and stake it in the goldCOMP Vault to earn liquidity mining rewards, locking it for a year. Of course, Golden Boys were after the governance rights behind these tokens. Undoubtedly, this proposal was not passed because the interoperation object was somewhat rudimentary and lacked actual business support. Moreover, the entire operation after token allocation was based on a multi-signature wallet, which increased the likelihood of malicious intent. Therefore, it sparked widespread rejection in the community.

But Humpy did not get discouraged; instead, it chose to engage with community members. It believed that as long as the entire process was approved through the Compound timelock contract for any multi-signature wallet to use these tokens, it could alleviate these issues. Therefore, on July 20, it initiated a second proposal. The amount requested remained unchanged, but an additional operation was added to set up a Trust Setup contract to achieve the above effect, thus supervising the multi-signature wallet. However, upon reading the contract code, I found that it simply set three states. When the Compound timelock modifies the contract's state to allow investment, the multi-signature wallet can freely use these tokens. Of course, this proposal was also rejected, but it was evident that the number of supporting votes had significantly increased. This seemed to give the illusion that Golden Boys were indeed continuously optimizing their proposals and gaining more agreement until today, when the third proposal's approval left everyone stunned.

Everyone should note that the proposal passed today has a core difference: the amount of COMP requested in this proposal is no longer 92,000 but an exaggerated 499,000. However, this time, the community was initially confident that they would easily defeat Humpy's "conspiracy," but the result was shocking. The proposal was passed by a narrow margin, and the supporting votes surged sixfold in just ten days, which was clearly unexpected by the community. This was evidently a carefully planned operation by Humpy. If nothing unexpected happens, with the passage of this proposal, Humpy will effectively become the owner of Compound, dominating any proposals. Considering its current amount of chips is already sufficient to surpass its opponents, coupled with the newly acquired 499,000 COMP corresponding to voting rights, Compound will undoubtedly be taken over.

The impact of this event is unprecedented. Any DeFi product needs to re-examine its governance model to prevent similar issues. I will continue to monitor the upcoming developments. I believe the Compound community will also rise to resist, but how the contradictions will develop is hard to say, given Balancer's previous experience.