Decentralized lending protocol Compound Finance appears to be the unlikely victim of a governance attack – a situation in which a party with significant voting power manages to sway the outcome of protocol governance.
A proposal to allocate $24 million worth of COMP, or 5% of the protocol treasury, to a yield bearing strategy run by a group called the Golden Boys has just passed. The proposal passed with 682,191 voted in favor to 633,636 votes against after voting concluded over the weekend.
The problem is that the same group had tried and failed to pass the proposal twice before, with Compound governance members raising security concerns over transferring the tokens to a multi-sig wallet outside the DAO’s control.
Compound governance delegate and OpenZeppelin security solutions architect Michael Lewellen accused the Golden Boys group and its leader Humpy of operating in bad faith and executing a governance attack.
He also highlighted a series of new COMP delegations from five addresses that were observed withdrawing 230,333 COMP from Bybit — enough to reach the quorum threshold to pass a proposal.
“Their attempt to push through a proposal to take a large chunk of the Compound treasury without adequate protections appears to be a malicious attempt to steal funds from the protocol,” said Lewellen in the proposal.
His concerns were echoed by other governance delegates, including Wintermute, Columbia Blockchain, Penn Blockchain and Monet Supply.
Venture firm Dragonfly’s managing partner Haseeb Qureshi noted that Humpy had deployed a similar strategy on Balancer in 2022, using a large amount of BAL tokens to direct incentives to a pool he controlled.
“This is basically a DAO corporate raid, with a flavor of stripping/tunneling (where the raider strips out assets for personal gain),” Qureshi said.
Humpy disagreed with the accusations, saying on the governance forum that “steal funds” is a “wrongful and misleading phrase.”
“Requested investment goes through a Trust Setup with a constraint set of actions that doesn’t permit stealing/diverting of funds. On that note, I’d like to thank all holders who voted for our proposal,” said Humpy.
In response to the events, another Compound delegate put forth a proposal that would likely counter similar attempts to exploit governance. Proposal 290, or “Precautionary Transfer of Timelock Admin,” would implement a two-day delay before executing governance proposals. However, it is unclear whether this proposal will have any bearing on the Golden Boys proposal to divert treasury funds.
July 29th, 06:30 a.m. ET: The headline was updated for clarity reasons.