Author: Grapefruit, ChainCatcher
Editor: Marco, ChainCatcher
On July 29, "499,000 COMP tokens worth $25 million" were voted by the community to be "legally" transferred from the Compound treasury to A strange and unmonitorable multi-signature address triggered a DAO governance attack storm.
After the COMP transfer proposal was passed, the COMP token price fell by nearly 7% in 24 hours, from $50 to $46.6.
On July 30, Compound Growth Officer Bryan Colligan said that after communicating with the giant whale behind this proposal, Stake COMP (referred to as stCOMP), a pledge product for COMP tokens, was launched. This product will be controlled by Compound DAO, and the future of the Compound protocol will be 30% of the new market reserves each year will be distributed to COMP stakers as a condition for canceling the proposal.
Currently, the 289 proposal "COMP transfer worth US$24 million" has been cancelled. Affected by this news, the COMP token rose by more than 13% during the day, and is now quoted at US$51.4.
Review of the storm: It took three proposals to get final approval
On July 29, a proposal on the transfer of treasury asset COMP that was voted by the DeFi lending protocol Compound community triggered accusations of governance attacks from community members. Proposal 289 proposes to transfer 5% of Compound’s treasury funds (499,000 COMP tokens worth approximately $24 million) to goldCOMP, a revenue protocol designed by the Golden Boys, for a period of one year.
After combing through the proposals, it was found that the proposal to "transfer 499,000 COMP tokens to the new protocol" was not passed overnight. It was canceled twice and the motives were questioned. It was not until the third proposal that it was almost approved. pass.
The proposal "Invest 5% of COMP from the treasury into the goldCOMP protocol" first appeared in Proposal 247 on May 6th, which proposed that the Compound treasury invest 5% of its COMP holdings into the goldCOMP protocol created by Golden Boys goldCOMP agreement, but was canceled because the number of participants in the proposal voting failed to reach the quorum.
On July 15th, "Establishing a trust for GoldCOMP invested by DAO" appeared again in community proposal 279. The proposal wrote that the goldCOMP protocol created by Golden Boys can provide income for the COMP agent and proposed to transfer treasury funds 92,000 COMP are added to the agreement for one year to earn profits. The proposal was canceled on July 20 due to a lack of quorum.
On July 24, the information "Trust Setup for DAO Investment in GoldCOMP" appeared again in Proposal 289. This proposal proposed to invest 499,000 COMP tokens in the treasury into the GoldCOMP protocol for a period of one year.
But after Proposal 247 was released in May, the security company OpenZeppelin prompted on the community forum that this may be a governance attack.
He explained that Proposal 247 proposed to transfer 5% of the COMP tokens in the treasury to a multi-signature claimed to be controlled by the "Golden Boys" and invest the funds in the goldCOMP protocol, but the proposer did not inform the community Revealing one's identity and the proposal has not been discussed in the forum beforehand may be a governance attack.
Wintermute’s governance account also stated that directly proposing on-chain proposals without forum or community discussion is opposed, and there is no sufficient reason why COMP needs to be moved to multi-signature and out of the control of the DAO.
In a later “trust setup” proposal, Wintermute questioned whether the action actually prevented the transfer of funds, writing that any kind of withdrawal action (divestment) is completely controlled by GoldenBoyzMultisig, which means that the DAO cannot recall funds on its own.
After many obstacles and doubts, the proposal of "investing 499,000 COMP tokens into the GoldCOMP protocol" was finally approved on July 29 with 682,000 votes in favor and 633,000 votes against.
Although the proposal is a legal process, Compound community users have many questions and concerns about the adoption of the proposal "499,000 COMP were transferred to an unknown protocol". Why was the proposal to transfer COMP treasury assets passed without public discussion on the community forum? ? Was the vote rigged? How secure is the COMP token in the goldCOMP protocol? Will he take the money and run away? etc.
Michael Lewellen, security solutions architect at OpenZeppelin and security consultant at Compound, pointed out on goldCOMP product proposal, and force the proposal through the approval process by controlling the number of COMP tokens.
It was subsequently revealed that Case 289 in the Compound community was that Humpy, the giant whale, was manipulating the voting direction behind the scenes in an attempt to obtain more personal benefits by using the DAO's governance process.
Humpy used his voting power to deposit $25 million worth from the Compound vault directly into his own goldCOMP vault for the Golden Boys community. Among them, the Golden Boys community also issued the governance token GOLD. After the Compound incident, its value doubled. The GOLD token rose by more than 46% that day, making huge profits.
DeFiWhy do protocols encounter governance attacks repeatedly? How to avoid it?
Although Humpy’s behavior is legal, it raises questions about decentralized DAO governance. Giant whales can influence the direction of decisions to obtain significant benefits for themselves by controlling the direction of voting.
Although Compound finally announced that it would cancel Proposal 289 on the condition of launching the token COMP pledge product stCOMP, it transformed this governance attack crisis into the empowerment of COMP token application scenarios and benefits. For example, future protocol income will be generated from COMP In the form of rewards (reduction of DAO reserves) to COMP staking users, Compound’s income is linked to COMP price, etc., and has received favorable feedback from users, but this type of governance attack is not the first time in DeFi applications, nor will it be the last once.
As early as 2022, Humpy was controlling the DeFi protocol Balancer’s token veBAL to influence the protocol’s token emission direction and issuance, profiting for himself, and playing a cat-and-mouse game with the project team.
In March this year, Humpy was also accused of launching an attack by Jared Gray of SushiSwap. He said that if the Humpy governance attack succeeds, it will squeeze the value of Sushi by increasing the issuance of SUSUI tokens.
Why do such governance occur repeatedly in DeFi protocols? How to avoid similar DAO attacks and hijacking behaviors?
Crypto user Esk3nder said that currently there are basically two forms of DeFi DAO governance attacks, one is financial in nature, the main purpose is to obtain funds from the treasury; the other is a governance form of attack, mainly by increasing voting rights to control governance.
Among them, Humpy’s attacks on Balancer and SushiSwap are all attempts to obtain more funds by controlling the token issuance of the protocol; while the attack on Compound is to influence decision-making by controlling voting rights, which will have a greater impact on the protocol. big.
User SOSE stated that governance attacks on DeFi protocols are more related to DeFi’s failed token economics strategy. Take this Compound attack as an example. The COMP token has continued to fall since 2021, which is also a representative case of the DeFi collapse. The decline of the COMP token makes it easier to accumulate tokens, making it easier for the tokens to be controlled by large investors. Nowadays, the governance rights of DeFi protocols are often determined by the weight of token holdings, which will inevitably become a profit-seeking game for large investors.
Although in order to cancel the 289 proposal, the stCOMP staking plan proposed by Compound has brought new changes to the COMP token economy, such as COMP staking leading to a short-term reduction in seller liquidity, the income of the Compound protocol being linked to the COMP price, etc., and has been reached in the community Consensus, but from the perspective of Compound DAO, this is a forced behavior, and there is still a high possibility that Humpy will benefit from this situation again.
He reminded that DeFi DAO should consider strategies to deal with governance attacks and token economics based on these cases.
And senior DeFi player @DefiIgnas believes that the inaction of the official DAO organization of the DeFi protocol is even more annoying. He explained that many proposals on Compound were passed quietly, such as the USDT market launched by V3 in July. Now, Compound’s official social media did not even forward the relevant proposals, causing many DAO delegations to miss the voting on relevant proposals. Now how to get more people from the DAO organization to participate is the key.
The above is the detailed content of Review of the COMP $2,500 governance attack. Why has the DeFi protocol been repeatedly attacked by DAO?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
