Alleged Compound Finance Attack Puts DAO Governance Models Under Scrutiny

• Compound Finance has allegedly become the victim of a governance attack.
• The alleged attack has sparked scrutiny of the governance models of DAOs.
• Some argue that Compound’s problems go beyond a faulty governance model.

For all their promise to create more transparent and community-driven organizations, DAOs face significant governance hurdles. In perhaps the latest event highlighting these challenges, a whale has prevailed against community concerns to pass a Compound Finance proposal to divert a substantial percentage of the protocol’s treasury to a little-known yield-bearing project.

Third Time’s the Charm? Questionable Compound Finance Proposal Passes 

Compound Finance has allegedly become the victim of a governance attack. On Sunday, July 28, a proposal to allocate 5% of the protocol’s treasury, about 499,000 COMP worth over $23.4 million at the time of writing, to a yield-bearing protocol called goldCOMP run by a group called Golden Boys passed with 682,191 votes to 633,636.

Several community members have labeled the proposal’s passing as an attack as the entities behind the proposal had allegedly acquired about 325,333 COMP, only 74,667 COMP less than the 400,000 COMP governance quorum threshold, to manipulate the votes. 

The supposed attack led by a whale known aptly as “Humpy” had begun over two months ago and seen two failed attempts to pass the proposal, with the initial effort coming on May 6. This first proposal , however, had immediately raised red flags. 

Compound Finance DAO Security Advisor Michael Lewellen had highlighted the suspicious COMP delegations preceding the proposal, which sought to put a substantial amount of the COMP treasury in a multi-sig wallet out of the DAO’s control while noting that it had not been put up for discussion on community forums as is the usual practice. The resulting backlash forced Humpy to cancel the proposal days later.

Humpy will try again with another proposal on July 15 after providing more details about the multisig on GitHub . This second proposal, however, failed to reach the quorum.

With the recent passing of the proposal on the third attempt despite apparent red flags, several questions have been asked of the governance mechanisms of DAOs, primarily as Humpy had employed a similar tactic on Balancer two years prior.

The Result of a Faulty Governance Model?

As with many other DeFi protocols, Compound Finance DAO and Balancer DAO operate a governance model where voting power is determined by the number of tokens a delegate holds. This method is widely adopted because of its simplicity and alignment with token utility. However, as highlighted by the actions of Humpy, this model is easily exploited by users with significant capital.

Reacting to the alleged Compound Finance attack, Curve Founder Michael Egorov touted Curve’s vote escrow tokenomics, ve-tokenomics, which requires DAO voters to lock up tokens for four years in exchange for voting power, with a high quorum requirement as the better approach. Egorov asserted that the alleged Compound Finance attack could not be replicated on Curve.

However, not everyone agreed with Egorov’s view that the ve-tokenomics model alone was the answer. As Progrmd Capital investor Sonya Kim highlighted, those with significant capital still maintain an upper hand in the ve-tokenomics model. Kim tipped adopting a dual governance system involving a trusted committee as a last line of defense and clearly defined DAO roles as potential fixes for better governance.

Amid these questions around Compound Finance DAO’s governance mechanism, however, some have suggested that the real culprit is apathy from the Compound Finance team and community members. Summing up this view, prominent DeFi researcher Ignas wrote:

"Only 57 addresses cast their votes for the goldCOMP proposal. Where was everyone else? It seems nobody cares. Barely ~20 addresses typically participate in DAO votes."

On the Flipside

• Humpy has maintained that his actions have been mischaracterized and do not equate to theft.
• Another Compound delegate has submitted a proposal to implement a “timelock” to delay the execution of passed governance proposals by two days to allow the community to intervene if similar incidents occur.

Why This Matters

DeFi protocols and the DAOs that manage them often control millions and sometimes billions of dollars in funds. How these funds are managed directly impacts the progress of these protocols and the fortune of their users. However, most DAOs’ governance mechanisms leave much to be desired.

Read this for more on recent DeFi attacks:
100+ DeFi Projects Risk DNS Attack: Are You Affected?

Polygon has teased a new AggLayer addition. Learn more:
Polygon (MATIC) to Unlock AltVM “Floodgates” with Teased Agglayer Addition