Author: Xiyu, ChainCatcher

Editor: Marco, ChainCatcher

On July 29th, a community vote "legally" transferred "49.9 million COMP tokens worth $25 million" from the Compound treasury to an unfamiliar and unmonitored multi-signature address, triggering a DAO governance attack storm.

After the COMP transfer proposal was approved, the price of COMP tokens fell by nearly 7% within 24 hours, dropping from $50 to $46.6.

On July 30th, Bryan Colligan, Growth Lead at Compound, announced the launch of Stake COMP (referred to as stCOMP), a collateral product for COMP tokens, controlled by the Compound DAO. 30% of the additional market reserve funds added by the Compound protocol each year will be allocated to COMP stakers as a condition for canceling the proposal.

The "Value of $24 million COMP Transfer" proposal 289 has been canceled. As a result of this news, the price of COMP tokens surged by over 13% within the day, currently trading at $51.4.

Review of the Storm: Three Proposals Before Final Approval

On July 29th, a proposal regarding the transfer of COMP treasury assets sparked accusations of governance attacks within the Compound community. The 289 proposal suggested transferring 5% of the Compound treasury funds (approximately 49.9 million COMP tokens worth $24 million) to the income protocol goldCOMP designed by Golden Boys for a period of one year.

Upon reviewing the proposal, it was found that the proposal to "transfer 49.9 million COMP tokens to a new protocol" was not approved at once. It went through two cancellations and was questioned for its motives before it was almost approved on the third attempt.

The proposal to "invest 5% of the COMP in the treasury into the goldCOMP protocol" first appeared in proposal 247 on May 6th. This proposal suggested that the Compound treasury invest 5% of its COMP holdings into the goldCOMP protocol created by Golden Boys. However, the proposal was canceled due to the insufficient number of participants reaching the required threshold.

On July 15th, the proposal 279 reappeared, suggesting "establishing a trust for GoldCOMP invested by DAO." It stated that the goldCOMP protocol created by Golden Boys could provide income for COMP agents and proposed transferring 92,000 COMP from the treasury to the protocol for a year to earn income. On July 20th, the proposal was canceled due to the failure to reach the required number of participants.

On July 24th, proposal 289 reappeared with information about "setting up a trust for DAO investment in GoldCOMP." The proposal suggested investing 49.9 million COMP tokens from the treasury into the GoldCOMP protocol for a year.

However, after the release of proposal 247 in May, the security company OpenZeppelin warned on the community forum that this could be a governance attack.

They explained that the proposal in 247 suggested transferring 5% of the COMP tokens from the treasury to a multi-signature controlled by "Golden Boys" and investing the funds in the goldCOMP protocol. The individuals behind the proposal did not disclose their identities to the community, and the proposal was not discussed on the forum beforehand, which could be a governance attack.

Wintermute's governance account also stated that proposing on-chain proposals without prior discussion in the forum or community is opposed, and there is not enough reason to explain why COMP should be transferred to a multi-signature and removed from DAO control.

In a later "trust setting" proposal, Wintermute questioned whether this action actually prevented the transfer of funds, stating that any form of withdrawal action (withdrawal of funds) is completely controlled by GoldenBoyzMultisig, meaning that the DAO cannot recall the funds.

After numerous obstacles and questioning, the proposal to "invest 49.9 million COMP tokens in the GoldCOMP protocol" was finally approved on July 29th with 682,000 votes in favor and 633,000 votes against.

Although the proposal went through a legal process, Compound community users have many doubts and concerns about the approval of the proposal to transfer "49.9 million COMP to an unknown protocol." Why was the COMP treasury asset transfer proposal approved without public discussion on the community forum? Was the voting manipulated? What is the security of the COMP tokens transferred to the goldCOMP protocol? Is there a risk of embezzlement? And so on.

Michael Lewellen, a security consultant at Compound and security architect at OpenZeppelin, pointed out that multiple accounts made large purchases of COMP tokens on the open market and proposed multiple intentions to transfer the COMP holdings to the goldCOMP product created by Golden Boys, forcing the approval of the proposal by controlling the COMP token quantity.

It was later revealed that the 289 case in the Compound community was manipulated by the whale Humpy to influence the voting direction, attempting to use the governance process of the DAO to gain more personal benefits.

Humpy used his voting rights to directly deposit $25 million from the Compound treasury into his own goldCOMP treasury for the Golden Boys community. Additionally, the Golden Boys community issued governance token GOLD, which doubled in value after the Compound incident, with the GOLD token's daily increase exceeding 46%, resulting in substantial profits.

Why Do DeFi Protocols Repeatedly Face Governance Attacks? How to Avoid Them?

Although Humpy's behavior was legal, it raised questions about decentralized DAO governance. Whales can influence decision-making to obtain significant benefits for themselves by controlling the voting direction.

Despite Compound ultimately announcing the launch of the stCOMP token as a condition for canceling the 289 proposal, transforming the governance attack crisis into empowerment for the application scenarios and returns of COMP tokens, such as rewarding protocol income in COMP form to COMP stakers (reducing DAO reserves) and linking Compound's income to COMP prices, and receiving positive feedback from users, such governance attack events are not the first in DeFi applications and will not be the last.

As early as 2022, Humpy had attempted to influence the token emission direction and issuance volume of the DeFi protocol Balancer by controlling a large amount of veBAL tokens for personal gain, engaging in a cat-and-mouse game with the project team.

In March of this year, Humpy was accused by Jared Grey of SushiSwap of launching an attack. He stated that if Humpy's governance attack succeeded, it would increase the issuance of the SUSUI token to extract value from Sushi.

Why do DeFi protocols repeatedly face such governance attacks, and how can similar DAO hijacking behaviors be avoided?

Esk3nder, a crypto user, stated that there are basically two forms of DeFi DAO governance attacks. One is financial in nature, mainly aimed at obtaining funds from the treasury, and the other is governance-based attacks, mainly aimed at controlling governance by increasing voting rights.

Humpy's attacks on Balancer and SushiSwap were attempts to obtain more funds by controlling the protocol's token issuance, while the attack on Compound was aimed at influencing decision-making by controlling voting rights, which would have a greater impact on the protocol.

User SOSE stated that governance attacks on DeFi protocols are more related to the failed token economics strategies of DeFi. Taking the recent Compound attack as an example, the continuous decline of the COMP token since 2021 is also a representative case of the collapse of DeFi. The decline of the COMP token makes it easier to accumulate tokens, leading to easier control by large holders. Currently, governance rights of DeFi protocols are often determined by the weight of token holdings, which inevitably becomes a game for large holders to pursue profits.

Although the stCOMP collateral proposal proposed by Compound to cancel the 289 proposal has brought new changes to the COMP token economy, such as reduced short-term liquidity for sellers due to COMP collateral, and the linkage of Compound protocol's income to COMP prices, and has reached a consensus in the community, from the perspective of Compound DAO, this is a forced action, and Humpy still has a high possibility of benefiting from this situation again.

He reminded that DeFi DAOs should consider responding to governance attacks and token economics strategies based on these cases.

Meanwhile, DeFi veteran player @DefiIgnas believes that the inaction of official DAO organizations of DeFi protocols is even more frustrating. He explained that multiple proposals on Compound have been quietly approved, such as the USDT market launched in July, and now the official social media of Compound has not even reposted the relevant proposals, causing many DAO representatives to miss the voting on relevant proposals. The key now is how to get more people involved in DAO organizations.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。