In-depth Analysis of Compound's Governance Attack: A Whale Seizes an Established DeFi Protocol Again
Author: Web3Mario
Translation: WuBlockchain
Abstract: I came across an interesting piece of information about Compound being subjected to a governance attack. Having been involved in DeFi for quite some time, this piqued my interest, and I decided to delve deeper into the details behind this event. I will break down the implementation details and share them with you. In summary, the governance attack on Compound involved a DeFi whale attempting to forcibly seize governance control of idle Comp tokens in the Compound Treasury through governance voting, thereby gaining full control over the Compound protocol.
The Legendary Whale Humpy Strikes Again, After Successfully Seizing Control of Balancer
This is not the first time this legendary whale has made a move. Previously, during the DeFi Summer of 2022, the whale carried out a governance attack on Balancer. By acquiring a large amount of BAL governance tokens and leveraging Balancer's veBAL mechanism, the whale gained control over the majority of BAL's incentive distributions to liquidity pools, effectively seizing control of Balancer. To date, Humpy has become the second-largest BAL token holder, second only to the official team.
For those interested in this classic event, Messari has an excellent research report that you can read in detail. I'm not sure how familiar you are with Balancer's veBAL mechanism, so let me briefly recap. During the DeFi Summer, innovation in product design was largely centered around creating effective tokenomics to drive growth. At that time, Curve, as a core DEX for stablecoins, pioneered the veCRV mechanism as its tokenomics, achieving significant results. Consequently, veToken became a popular design paradigm for DEX tokenomics.
One of the prominent projects in the same category, Balancer, was facing an innovation bottleneck at the time and decided to follow suit by launching its veBAL mechanism. The essence of this mechanism was to allocate a competitive resource within the product through governance voting, thereby creating extensive scenarios for vote-buying and generating returns for governance participants. This, in turn, stimulated the community's enthusiasm for product co-building and provided a suitable value support for the governance token, a concept commonly referred to as "governance value extraction" in the market.
In the DEX sector, this competitive resource specifically refers to the liquidity incentive rewards distributed by the official team to liquidity pools. The proportion of rewards allocated to different liquidity pools is determined through governance voting. To gain voting rights, one must lock their governance tokens for a long period, thus reducing the circulating supply in the market, which is beneficial for market cap growth. The more votes a liquidity pool receives, the more BAL incentives it will be allocated. This setup can lead third-party projects to bribe veBAL holders to increase the liquidity of their tokens, usually facilitated by dedicated DAPPs. However, an inherent flaw in Balancer's veBAL design was discovered and exploited by Humpy.
We know that the core business model for a DEX is transaction fees. To attract more traders to use their platform, DEXs go to great lengths to increase their liquidity, thereby providing a low slippage trading experience to attract users. Therefore, the design of veBAL cannot deviate from this core objective of increasing transaction fees. However, in its initial design, there were no restrictions on the types of liquidity pools; it solely depended on the total number of votes the pool received. This created a problem: as long as a pool could somehow garner enough veBAL votes, it could receive a large proportion of BAL liquidity incentives, even if it had no trading volume. This opened up opportunities for whales, leading to Humpy's involvement.
Humpy's core attack strategy consisted of two parts. First, gaining absolute control over the liquidity of a specific pool, thus securing the majority of rewards during liquidity mining. Second, securing a massive amount of votes for the pool under their control to capture the majority of BAL incentive distribution, thereby achieving control over the protocol. To this end, Humpy first targeted tokens from projects with inactive trading but inflated market caps, thereby reducing potential competition. The second step was to create a liquidity pool with extremely high fees (1%), discouraging users from trading, which reduced the willingness of potential LPs attracted by fees to participate. Through these tactics, Humpy achieved absolute control over a specific liquidity pool. Subsequently, they purchased a large number of BAL tokens from the secondary market, staked them to acquire veBAL, and voted for their liquidity pool, thereby obtaining the majority of BAL allocations. However, this incentive release did not improve Balancer, as no additional transaction fees were generated, only benefiting Humpy. This is an example of a conflict between the interests of whales and the long-term development of the project, resulting in inevitable contradictions.
In practice, the official team at Balancer did not sit idly by. They countered Humpy's vampire attack with new proposals, such as specifying the range of pools eligible for liquidity incentives, requiring official application and approval for any expansions, and setting limits on the proportion of rewards that could be allocated to a single pool. Despite a series of countermeasures, Balancer eventually reached a settlement with Humpy. Nevertheless, this did not prevent Humpy from gradually achieving control over Balancer through these methods, as evidenced by becoming the second-largest holder. This set the stage for Humpy's recent attack on Compound.
By forcibly seizing the governance rights of a large amount of idle COMP in the Compound Treasury, Humpy took over Compound.
The above events occurred in 2022. After a two-year hiatus, Humpy began targeting another established DeFi protocol, which is the recent event we're discussing. This time, it had nothing to do with veBAL but instead focused on the governance rights associated with a large amount of idle COMP in the Compound Treasury.
This time, Humpy did not directly participate in the entire operation but rather manipulated the situation through a project called Golden Boys (which could also be considered an organization). The project is essentially a financial meme. What does this mean? Its core product is an ERC-20 token called $GOLD. However, the official narrative imbued it with expectations beyond mere cultural value, emphasizing throughout the website and blog that $GOLD's value is maintained by the whale Humpy, leveraging years of experience and vast financial and resource advantages. Holding $GOLD is akin to riding on the back of a whale. In reality, there are no structured financial products or yield aggregations; instead, $GOLD and some mainstream tokens are distributed with liquidity incentives. Some of these incentives are newly issued $GOLD, while others are BAL rewards. This is naturally due to Humpy's influence over Balancer, using their significant veBAL holdings to allocate relatively high liquidity mining rewards (one can't help but lament the difficulty of defending against such takeovers).
After preparing all this, Humpy created a new Vault product called goldCOMP Vault. In simple terms, users could stake their COMP in this Vault, relinquishing their governance rights to Golden Boys and receiving a staking certificate called goldCOMP. This is a transferable certificate that users could provide as liquidity in the 99goldCOMP-1WETH pool on Balancer, with the 99 and 1 representing the corresponding weights. This setup basically ensured minimal trading slippage and negligible impermanent loss.
After staking liquidity, users could receive $GOLD as liquidity incentives. Note that the rewards here are not BAL but $GOLD, which naturally allows the Golden Boys to control the pool's interest rates, as it is under their control. The current interest rate is 180%, though the TVL is still low. However, I'm not sure when Balancer started supporting third-party tokens directly as staking incentives displayed on their official website, as I haven't kept up with the project's progress for a while. If this isn't an official setting that can be publicly adjusted, it only underscores the helplessness of being taken over!
After setting all this up, Golden Boys launched a governance attack on Compound. In May of this year, they proposed their first proposal, which requested transferring 5% of the COMP controlled by the Compound Treasury, approximately 92,000 COMP, to Golden Boys' multi-signature wallet. This COMP would then be staked in the goldCOMP Vault to earn liquidity mining rewards, locked for one year. Of course, the goal was to obtain the governance rights associated with these tokens. Unsurprisingly, the proposal was not passed, as the partner seemed rudimentary, lacking actual business support. Furthermore, the entire operation of the tokens after distribution was based on a multi-signature wallet, making malicious intent seem more likely, thus facing widespread opposition from the community.
However, Humpy did not give up and chose to engage with community members, arguing that using Compound's timelock contract to approve any multi-signature wallet's use of these tokens could alleviate these concerns. Therefore, they launched a second proposal on July 20th, requesting the same amount but with an additional measure to implement the aforementioned effect through a Trust Setup contract, thereby overseeing the multi-signature wallet. However, upon examining the contract's code, it only set three states. When Compound timelock modified the contract's state to allow investment, the multi-signature wallet could use these tokens freely. This proposal was also rejected, but the number of votes in favor significantly increased. This gave the impression that Golden Boys were continuously optimizing the proposal and gaining more approval, until today, when the third proposal was passed, leaving everyone dumbfounded.
It is essential to note that today's approved proposal had a crucial difference: the amount of COMP requested was no longer 92,000 but a staggering 499,000. However, this time, the community, confident of easily defeating Humpy's "scheme," was shocked when the proposal passed by a narrow margin, with support votes surging sixfold in just ten days. This was evidently an outcome the community had not anticipated and clearly a carefully orchestrated move by Humpy. With the passage of this proposal, Humpy will effectively become the owner of Compound, dominating any proposals. Considering their current holdings exceed that of the opposition, coupled with the newly obtained voting rights of 499,000 COMP, Compound will undoubtedly be taken over.
The impact of this incident is unprecedented. Any DeFi product will need to re-examine its governance model to avoid similar issues. I will continue to monitor the developments. With Balancer's previous experiences, it is hard to predict the final outcome of the conflict within the Compound community.
Update
As of the time of writing, it has been learned that the Compound community has preliminarily reached a settlement with Humpy. Humpy has agreed to forgo the demand for the COMP tokens. Instead, Compound will share 30% of the protocol's annual incremental total revenue with COMP token holders. Previously, these revenues were controlled by the team as market reserves. With this change, COMP tokens have officially become a yield-bearing asset. Once again, Humpy has emerged victorious in the governance war!
Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish