Details and Purpose behind the Compound Governance Attack Analysis on Depth: Whale Once Again Takes Over the Veteran Decentralized Finance

Author: @Web3Mario（_mario）

Summary: With the end of the BTC conference last weekend, the details of the related meeting continue to be exposed, which is basically not much different from my previous judgment, such as Trump’s strategy to please BTC enthusiasts by cutting into energy policies, and by rendering some official attitude changes, specifically referring to the so-called strategic reserve rhetoric, emphasizing its value as a commodity. What I didn’t expect may be that this speech has turned into a typical ‘Trump-style’ campaign rally again, liking to use some unreasoned views and information to attack opponents, which inevitably makes people skeptical of the truthfulness of some of the promises he made. But basically, this matter has been settled, so I followed some other events and saw some interesting information. Compound encountered governance attacks. Because I have been involved in Decentralized Finance for a long time, I am very interested in this information, so I delved into the ins and outs of the matter and dissected the details behind it to share with you. Overall, the governance attack encountered by Compound is a Decentralized Finance Whale trying to forcibly take over the governance rights of the idle Comp tokens in the Compound Treasury by voting on governance, so as to fully control the Compound protocol.

Legendary WhaleHumpy Strikes Again, Successfully Seizing Balancer

Actually, this is not the first masterpiece of the legendary Whale. Prior to this, the Whale launched a governance attack on Balancer during the 2022 Decentralized Finance Summer era. By controlling a large number of BAL governance tokens and relying on Balancer’s veBAL mechanism, the Whale gained control over the majority of BAL incentives in liquidity pools, thus taking control of Balancer. Up until now, humpy has become the second largest holder of BAL tokens, second only to the official team.

Messari has an excellent research report on this classic event. Interested friends can read it in detail. I don’t know how many friends are familiar with the veBAL mechanism of Balancer. Here, I will briefly review it. At that time, it was the Decentralized Finance Summer, and the innovative direction of each product revolved around how to achieve a rise through a well-designed tokenomics. Curve, as a core DEX of stablecoin, first introduced the veCRV mechanism as its tokenomics, and then achieved considerable results. Therefore, veToken became a popular design paradigm for DEX product tokenomics at that time.

One of the similar star projects, Balancer, encountered an innovation bottleneck at that time, so it also chose to follow suit and launched its own veBAL mechanism. The essence of this mechanism is to adjust the allocation of a competitive resource within the product through voting governance, thereby widely creating a bribery election scene, bringing benefits to participating in governance, and stimulating the enthusiasm of the community to actively participate in product construction. It also found the appropriate value support for governance tokens and was commonly described as ‘governance extraction value’ in the market at that time.

In the DEX arena, this competitive resource specifically refers to the Liquidity incentive rewards for governance Tokens allocated to the Liquidity pool running on it. The proportion of rewards allocated to different Liquidity pools is determined by voting governance. If you want to obtain voting rights, you must lock your governance Tokens for a long period of time, which will drop the Circulating Supply in the market, and benefit the growth of Market Cap. The Liquidity pool that gets more long votes will be allocated more long BAL incentives, which can guide third-party projects to bribe users who have veBAL voting rights with their Tokens to stimulate their own token Liquidity rise. Of course, this process is generally implemented through specialized DAPPs. However, there is a hidden danger in the veBAL design of Balancer, which was discovered and exploited by Humpy.

We know that for DEX, the core business model is transaction fees. In order to attract more long traders to use their own products, DEX tries to expand its Liquidity in every possible way and attract users through low slippage trading experience. Therefore, the design of veBAL cannot deviate from this core goal, which is to maximize transaction fees. However, in its initial design, there was no restriction on the type of Liquidity pool, only relying on the total votes obtained by the pool, which brings a problem: as long as a pool can obtain enough veBAL votes through some means, it can receive a larger proportion of BAL Liquidity incentives, even if this pool has no volume. This creates space for Whales, hence, Humpy comes in.

Humpy’s core attack strategy consists of two parts. Firstly, it needs to gain absolute control over the Liquidity of a pool, so that it can obtain most of the rewards in the Liquidity Mining process. Secondly, it needs to obtain a massive amount of votes for the pool it controls, in order to grasp the majority of BAL incentive allocation. This enables it to gain control over the protocol. Therefore, its first choice is those tokens of projects with inactive trading but artificially high Market Cap, to build a position, drop potential competitors. Secondly, it establishes a liquidity pool with extremely high fees (1%) to drop users’ willingness to trade, thus reducing the participation willingness of LPs attracted by the fees. Through these means, it achieves absolute control over a particular liquidity pool. Next, through the Secondary Market, it purchases a large amount of BAL tokens, stakes them to obtain veBAL, and votes for its own liquidity pool, thus gaining the majority of BAL allocation. However, this release of incentives does not make Balancer better, as it does not trigger more long-term fees, but only makes it cheaper for Humpy. This is where the interests of the Whale deviate from the long-term development of the project, leading only to contradictions.

In actual implementation, the official team of Balancer did not sit still, but countered Humpy’s Vampire Attack through new proposals. For example, specifying the range of pools eligible for liquidity incentives and requiring official application and approval for expanding the range, setting a cap on the reward allocation ratio for individual pools, etc. However, after a series of confrontations, Balancer and Humpy reached a settlement. But from the results, it did not prevent Humpy from gradually gaining control of Balancer through this means, and the fact that I am the second largest holder is the most direct result. This also laid the groundwork for the attack it recently launched against Compound.

Seizing the governance rights of a large amount of idle COMP in the Compound Treasury by force, seizing Compound

The above events took place in 2022. After two years of silence, Humpy launched another attack on another veteran of Decentralized Finance. This is the recent incident. This time, it has nothing to do with veBAL, but focuses on the governance rights corresponding to a large amount of idle COMP in Compound Treasury.

This time, he did not directly participate in the entire game, but manipulated it through a project (of course, it can also be called an organization) called Golden Boys. The project is actually a Meme with financial attributes. Its core product is an ERC-20 token called $GOLD. However, the official has given some expectations to its holders besides cultural attributes. The introduction of the entire official website and blog emphasizes one point, that is, the value of $GOLD is maintained by Humpy, a Whale, with years of experience and a lot of financial and resource advantages. Holding $GOLD is like standing on the back of a Whale. But in fact, he did not have some structured financial management or income aggregation product design, but only allocated some Liquidity incentives for $GOLD and some mainstream Tokens, some of which are directly issued $GOLD, and of course, there are also some BAL rewards. This is natural because of Humpy’s influence on Balancer, and through the huge veBAL he owns, he allocates relatively high Liquidity Mining rewards (it is really a bit lamentable to study here that it is not easy to be possessed by a demon).

After preparing all this, a new Vault product was created, called goldCOMP Vault. In simple terms, users can stake their COMP in this Vault to transfer their governance rights to Golden Boys and receive a stake certificate called goldCOMP. This is a tradable certificate, and users can provide this certificate as Liquidity to the 99goldCOMP-1WETH pool on Balancer, where 99 and 1 represent the corresponding weights. This basically means that the trading slippage of goldCOMP is extremely low, with almost no Impermanent Loss.

After staking Liquidity, you can receive GOLD’s Liquidity incentive. Please note that the reward here is not BAL, but GOLD. This is natural because choosing GOLD as the incentive is more beneficial for Golden Boys to control the pool’s Interest Rate, which is controlled by themselves anyway. The current Interest Rate level is 180%, but TVL is not yet high. However, what I am not sure about is when will Balancer support third-party tokens as staking incentives and display them on the official website. Because I haven’t followed up on the project progress for a while. If it is not an operation that can be publicly set by the official, then I can only lament the helplessness of being robbed again!

After preparing these, GoldenBoys launched the first proposal in May this year, which is to apply to transfer 5% of the COMP controlled by Compound Treasury, which is 92,000 COMP, to Golden Boys’ long-sign Wallet, and pledge it to the goldCOMP Vault through the long-sign Wallet, and earn LiquidityMining income, Lock-up Position for one year. Of course, in this process, Golden Boys are aiming for the governance rights behind these Tokens. Undoubtedly, this proposal was not passed because the interoperable object is a bit rudimentary, with no actual business support, and the entire token allocation is based on the long-sign Wallet, which makes the possibility of human malice even greater. Therefore, it has also caused widespread negative reactions in the community.

However, Humpy is not discouraged, but chooses to confront the community members. He believes that as long as the entire process approves any long-sign Wallet’s use of this Token through the Compound timelock contract, these issues can be alleviated. Therefore, on July 20, he initiated the second proposal, with the same amount but an additional operation. By setting up a Trust Setup contract to achieve the above effects, supervision of long-sign Wallets can be implemented. However, when I actually read the code of the contract, it simply set three states. When the Compound timelock modifies the status of the contract to allow investment, the long-sign Wallet can freely use these tokens. Of course, this proposal was also rejected, but it can be seen that the number of supporting votes has clearly increased. This seems to give the illusion that the Golden Boys are constantly optimizing the proposals and gaining more and more long agreements, until today, the approval of the third proposal has left everyone dumbfounded.

Everyone should pay attention that there is a core difference in the approved proposal today. The amount of COMP funds applied for in this proposal is no longer 92,000, but an exaggerated 499,000. However, the community was very confident that they would easily defeat Humpy’s “conspiracy”, but the result was surprising. The proposal was passed with a slight advantage, and the supporting votes increased six times in just ten days, which was obviously unexpected by the community. It was also a well-planned operation by Humpy. If nothing unexpected happens, with the passage of this proposal, Humpy will actually become the owner of Compound, and will dominate any proposal. Considering that its current number of chips is enough to surpass its opponents, coupled with the newly acquired voting rights corresponding to 499,000 COMP, Compound will undoubtedly be taken over.

The impact of this incident is unprecedented. Any DeFi product needs to re-monitor its governance model to prevent similar issues. I will continue to follow the next developments. I believe the Compound community will also rise up and fight. As for how the conflict will ultimately develop, it’s hard to say given the experience of Balancer.