Author: Grapefruit, ChainCatcher
Editor: Marco, ChainCatcher
On July 29, "499,000 COMP tokens worth $25 million" were voted by the community to be "legally" transferred from the Compound treasury to A strange and unmonitorable multi-signature address triggered a DAO governance attack storm.
After the COMP transfer proposal was passed, the COMP token price fell by nearly 7% in 24 hours, from $50 to $46.6.
On July 30, Compound Growth Officer Bryan Colligan said that after communicating with the giant whale behind this proposal, Stake COMP (referred to as stCOMP), a pledge product for COMP tokens, was launched. This product will be controlled by Compound DAO, and the future of the Compound protocol will be 30% of the new market reserves each year will be distributed to COMP stakers as a condition for canceling the proposal.
Currently, the 289 proposal "COMP transfer worth US$24 million" has been cancelled. Affected by this news, the COMP token rose by more than 13% during the day, and is now quoted at US$51.4.
Review of the storm: It took three proposals to get final approval
On July 29, a proposal on the transfer of treasury asset COMP that was voted by the DeFi lending protocol Compound community triggered accusations of governance attacks from community members. Proposal 289 proposes to transfer 5% of Compound’s treasury funds (499,000 COMP tokens worth approximately $24 million) to goldCOMP, a revenue protocol designed by the Golden Boys, for a period of one year.
After combing through the proposals, it was found that the proposal to "transfer 499,000 COMP tokens to the new protocol" was not passed overnight. It was canceled twice and the motives were questioned. It was not until the third proposal that it was almost approved. pass.
The proposal "Invest 5% of COMP from the treasury into the goldCOMP protocol" first appeared in Proposal 247 on May 6th, which proposed that the Compound treasury invest 5% of its COMP holdings into the goldCOMP protocol created by Golden Boys goldCOMP agreement, but was canceled because the number of participants in the proposal voting failed to reach the quorum.
On July 15th, "Establishing a trust for GoldCOMP invested by DAO" appeared again in community proposal 279. The proposal wrote that the goldCOMP protocol created by Golden Boys can provide income for the COMP agent and proposed to transfer treasury funds 92,000 COMP are added to the agreement for one year to earn profits. The proposal was canceled on July 20 due to a lack of quorum.
On July 24, the information "Trust Setup for DAO Investment in GoldCOMP" appeared again in Proposal 289. This proposal proposed to invest 499,000 COMP tokens in the treasury into the GoldCOMP protocol for a period of one year.
But after Proposal 247 was released in May, the security company OpenZeppelin prompted on the community forum that this may be a governance attack.
He explained that Proposal 247 proposed to transfer 5% of the COMP tokens in the treasury to a multi-signature claimed to be controlled by the "Golden Boys" and invest the funds in the goldCOMP protocol, but the proposer did not inform the community Revealing one's identity and the proposal has not been discussed in the forum beforehand may be a governance attack.
Wintermute’s governance account also stated that directly proposing on-chain proposals without forum or community discussion is opposed, and there is no sufficient reason why COMP needs to be moved to multi-signature and out of the control of the DAO.
In a later “trust setup” proposal, Wintermute questioned whether the action actually prevented the transfer of funds, writing that any kind of withdrawal action (divestment) is completely controlled by GoldenBoyzMultisig, which means that the DAO cannot recall funds on its own.
After many obstacles and doubts, the proposal of "investing 499,000 COMP tokens into the GoldCOMP protocol" was finally approved on July 29 with 682,000 votes in favor and 633,000 votes against.
Although the proposal is a legal process, Compound community users have many questions and concerns about the adoption of the proposal "499,000 COMP were transferred to an unknown protocol". Why was the proposal to transfer COMP treasury assets passed without public discussion on the community forum? ? Was the vote rigged? How secure is the COMP token in the goldCOMP protocol? Will he take the money and run away? etc.
Michael Lewellen, security solutions architect at OpenZeppelin and security consultant at Compound, pointed out on goldCOMP product proposal, and force the proposal through the approval process by controlling the number of COMP tokens.
隨後被爆出,Compound社群的289案是巨鯨Humpy在背後操縱投票方向,企圖透過利用DAO的治理流程來獲取更多的個人利益。
Humpy利用自己的投票權將價值2500萬美元從Compound金庫直接存入自己的goldCOMP金庫中,用於Golden Boys社區。其中,Golden Boys社群也發行了治理代幣GOLD,在Compound事件後,其價值翻了一番,GOLD代幣當日漲幅超46%,獲利豐厚。
DeFi協定為何屢次遭遇治理攻擊?該如何避免?
雖然是Humpy行為是合法的,但它引發了關於去中心化DAO治理的問題思考,巨鯨可透過控制投票方向來影響為自己獲取重大利益的決策走向。
儘管Compound最終宣布以推出代幣COMP質押產品stCOMP為條件,取消了289提案,將本次治理攻擊危機轉化為了對COMP代幣的應用場景及收益的賦能,如未來協議收入將以COMP形式獎勵(減少DAO儲備)給COMP質押用戶,Compound的收入與COMP價格掛鉤等,並迎來了用戶的反饋好評,但此類治理攻擊事件在DeFi應用中不是第一次,也不會是最後一次。
早在2022年,Humpy就曾在透過大量控制DeFi協議Balancer的代幣veBAL來影響該協議的代幣排放方向和發行量,為自己獲利,並與專案方上演了貓鼠遊戲。
今年三月,Humpy還被SushiSwap的Jared Grey指控發動攻擊,他表示,如果Humpy治理攻擊得逞,就會透過增加SUSUI代幣發行量來榨取Sushi的價值。
為何DeFi協定一再發生此類治理,類似的DAO攻擊劫持行為該如何避免?
加密用戶Esk3nder表示,目前DeFi DAO治理攻擊基本上有兩種形式,一種是金融性質的,主要目的是從國庫中獲取資金;另一種是治理形式的攻擊,主要是透過增加投票權來控制治理。
其中,Humpy對Balancer和SushiSwap的攻擊都是試圖透過控制協議的代幣發行量來獲取更多的資金;而對Compound的攻擊則是透過控制投票權來影響決策,對協議的影響會更大。
用戶SOSE表示,DeFi協議的治理攻擊更多是與DeFi失敗的代幣經濟學策略有關。就拿本次Compound攻擊來說,COMP代幣自2021年以來持續下跌,也是DeFi崩盤的代表性案例,COMP代幣的下跌讓代幣累積起來更加容易,從而導致代幣更容易被大戶控制,而現在DeFi協議的治理權往往透過代幣持有量的權重來決定的,這就必然會成為大戶逐利的遊戲。
雖然為取消289提案,Compound提出的stCOMP質押方案為COMP代幣經濟帶來了新變化,如COMP質押導致賣方流動性短期減少、Compound協議的收入與COMP價格掛鉤等,並在社區達成了共識,但從Compound DAO的角度來看,這是被迫的行為,Humpy仍有很大可能再次從這種情況中受益。
他提醒道,DeFi DAO應該根據這些案例考慮應對治理攻擊和代幣經濟學的策略。
而DeFi資深玩家@DefiIgnas認為,現在DeFi協議的官方DAO組織不作為更讓人惱火,他解釋道Compound上的多個提案都是悄悄通過的,如7月份V3推出的USDT市場等,現在Compound官方社群媒體甚至沒有轉發過相關提案,導致許多DAO代表團錯過了相關提案的投票,現在如何讓DAO組織更多人員參與進來才是關鍵。
以上是複盤 COMP 2500 美元治理攻擊,DeFi 協議為何屢次遭遇 DAO 攻擊?的詳細內容。更多資訊請關注PHP中文網其他相關文章!
