Reviewing the $2500 governance attack on COMP, why do DeFi protocols repeatedly encounter DAO attacks?
Compound launched the COMP token staking product stCOMP, which has ended the recent attack incident.Author: Xiyou, ChainCatcher
Editor: Marco, ChainCatcher
On July 29, the community voted to "legally" transfer "499,000 COMP tokens worth $25 million" from the Compound treasury to a strange and unmonitored multi-signature address, triggering a storm of DAO governance attack allegations.
After the proposal to transfer COMP was approved, the price of COMP tokens fell nearly 7% within 24 hours, dropping from $50 to $46.6.
On July 30, Compound's growth officer Bryan Colligan announced the launch of a staking product called Stake COMP (stCOMP) after communicating with the whale behind this proposal. This product will be controlled by the Compound DAO, and 30% of the new market reserve funds added to the Compound protocol each year will be allocated to COMP stakers as a condition for canceling the proposal.
Currently, the "transfer of $24 million worth of COMP" proposal 289 has been canceled. Following this news, the COMP token surged over 13% in a single day, now priced at $51.4.
Review of the Incident: Three Proposals Before Final Approval
On July 29, a proposal regarding the transfer of treasury assets COMP, passed by the Compound community, sparked accusations of governance attacks from community members. Proposal 289 suggested transferring 5% of the Compound treasury funds (approximately $24 million worth of 499,000 COMP tokens) to the yield protocol goldCOMP designed by Golden Boys for a duration of one year.
A review of the proposals revealed that the proposal to "transfer 499,000 COMP tokens to the new protocol" was not approved in one go; it faced two cancellations and questions about its motives before it was nearly approved on the third attempt.
The proposal to "invest 5% of the COMP in the treasury into the goldCOMP protocol" first appeared in proposal 247 on May 6, which suggested that the Compound treasury invest 5% of its COMP holdings into the goldCOMP protocol created by Golden Boys. However, this proposal was canceled due to insufficient participation to meet the quorum.
On July 15, proposal 279 again mentioned "establishing a trust for DAO investment in GoldCOMP," stating that the goldCOMP protocol created by Golden Boys could provide yields for COMP holders and proposed transferring 92,000 COMP from the treasury to this protocol for one year to earn yields. This proposal was canceled on July 20 due to failure to meet the quorum.
On July 24, proposal 289 again included information about "setting up a trust for DAO investment in GoldCOMP," proposing to invest 499,000 COMP tokens from the treasury into the GoldCOMP protocol for one year.
However, after the release of proposal 247 in May, the security company OpenZeppelin warned in the community forum that this could be a governance attack.
They explained that proposal 247 suggested transferring 5% of the COMP tokens in the treasury to a multi-signature wallet allegedly controlled by "Golden Boys" and investing the funds in the goldCOMP protocol, but the proposers did not disclose their identities to the community, and the proposal had not been discussed in the forum beforehand, which could indicate a governance attack.
Wintermute's governance account also stated that directly proposing on-chain without prior forum or community discussion is opposed, and there was no sufficient reason provided for why the COMP needed to be transferred to a multi-signature wallet and removed from DAO control.
In the later "trust setup" proposals, Wintermute questioned whether this action actually prevented the transfer of funds, stating that any form of withdrawal (disinvestment) was entirely controlled by GoldenBoyzMultisig, meaning the DAO could not recall the funds on its own.
After overcoming numerous obstacles and doubts, the proposal to "invest 499,000 COMP tokens into the GoldCOMP protocol" was finally approved on July 29, with 682,000 votes in favor and 633,000 votes against.
Although the proposal followed a legal process, Compound community users had many doubts and concerns about the approval of the "transfer of 499,000 COMP to an unknown protocol" proposal. Why was the proposal approved without public discussion in the community forum? Was the voting manipulated? How secure are the COMP tokens transferred to the goldCOMP protocol? Could they run away with the funds? And so on.
Michael Lewellen, a security architect at OpenZeppelin and a security advisor for Compound, pointed out on X that multiple accounts were buying COMP tokens in large quantities on the open market and proposed several proposals aimed at transferring COMP holdings to the goldCOMP product created by Golden Boys, forcing the approval process through control of the number of COMP tokens.
It was later revealed that the Compound community's proposal 289 was manipulated by the whale Humpy, who attempted to use the DAO governance process to gain more personal benefits.
Humpy used his voting power to directly transfer $25 million from the Compound treasury into his goldCOMP treasury for the Golden Boys community. Additionally, the Golden Boys community issued a governance token, GOLD, which doubled in value after the Compound incident, with the GOLD token increasing over 46% in a single day, resulting in substantial profits.
Why Do DeFi Protocols Frequently Encounter Governance Attacks? How Can They Be Prevented?
Although Humpy's actions were legal, they raised questions about decentralized DAO governance, as whales can influence decisions to obtain significant benefits for themselves by controlling the direction of voting.
Although Compound ultimately announced the launch of the staking product stCOMP as a condition to cancel proposal 289, transforming this governance attack crisis into an empowerment of the application scenarios and benefits of COMP tokens—such as future protocol revenues being rewarded to COMP stakers in the form of COMP (reducing DAO reserves) and linking Compound's income to the price of COMP—this received positive feedback from users. However, such governance attack incidents are not the first in DeFi applications and will not be the last.
As early as 2022, Humpy had influenced the direction and issuance of tokens in the DeFi protocol Balancer by controlling a large amount of the veBAL token for his own profit, engaging in a cat-and-mouse game with the project team.
In March of this year, Humpy was also accused of launching an attack by Jared Grey of SushiSwap, who stated that if Humpy's governance attack succeeded, it would extract value from Sushi by increasing the issuance of SUSUI tokens.
Why do such governance attacks frequently occur in DeFi protocols, and how can similar DAO hijacking behaviors be prevented?
Crypto user Esk3nder stated that there are basically two forms of DeFi DAO governance attacks: one is financial in nature, primarily aimed at obtaining funds from the treasury; the other is governance-form attacks, mainly through increasing voting power to control governance.
Among them, Humpy's attacks on Balancer and SushiSwap attempted to gain more funds by controlling the token issuance of the protocols; whereas the attack on Compound was through controlling voting power, which has a greater impact on the protocol.
User SOSE noted that governance attacks on DeFi protocols are more related to the failed token economics strategies of DeFi. Taking the recent Compound attack as an example, the COMP token has been continuously declining since 2021, representing a typical case of DeFi collapse. The decline of the COMP token makes it easier for tokens to accumulate, leading to easier control by large holders. Currently, governance rights in DeFi protocols are often determined by the weight of token holdings, which inevitably turns it into a game for large holders to profit.
Although the stCOMP staking proposal put forward by Compound to cancel proposal 289 has brought new changes to the COMP token economy, such as reducing short-term selling liquidity and linking Compound's income to the price of COMP, and reached a consensus in the community, from the perspective of Compound DAO, this is a forced action, and Humpy still has a high probability of benefiting again from this situation.
He warned that DeFi DAOs should consider strategies to respond to governance attacks and token economics based on these cases.
Veteran DeFi player @DefiIgnas believes that the inaction of official DAO organizations in DeFi protocols is even more frustrating. He explained that several proposals on Compound were quietly passed, such as the USDT market launched in July, and that the official Compound social media has not even shared relevant proposals, causing many DAO delegations to miss the voting on these proposals. The key now is how to get more people involved in DAO organizations.
