In-depth analysis of the details and purpose behind the Compound governance attack - Whales take over the old DeFi again

avatar
马里奥看Web3
4 months ago
This article is approximately 2150 words,and reading the entire article takes about 3 minutes
In general, the governance attack that Compound encountered was an attempt by a DeFi whale to forcibly seize the governance rights of idle Comp tokens in the Compound Treasury through governance voting, allowing it to fully control the Compound protocol.

Original author : @Web3 Mario (https://x.com/web3_mario)

With the end of last weekends Bitcoin Conference, the details of the relevant meetings continued to be exposed, which were basically not much different from my previous judgment , such as Trumps strategy of using energy policy to please Bitcoin enthusiasts, and by exaggerating some changes in official attitudes, especially the so-called strategic reserve rhetoric, highlighting its value as a commodity. What I didnt expect was that his speech turned into a typical Trump-style campaign rally again. He likes to use some opinions and information that have not been logically argued to attack his opponents, which inevitably makes people wait and see the authenticity of some of his promises. However, basically this matter has been settled, so the author paid attention to some other events and saw a very interesting information that Compound suffered a governance attack. Because the author has been working in DeFi for a long time before, he is very interested in this information. He studied the whole story behind this matter in depth, and disassembled the implementation details behind it to share with you. In general, the governance attack encountered by Compound was a DeFi whale that tried to forcibly seize the governance rights of idle Comp tokens in the Compound Treasury through voting on governance, so that it could fully control the Compound protocol.

Humpy, the legendary whale that successfully seized Balancer, strikes again

In fact, this is not the first masterpiece of this legendary whale. Before this, the whale launched a governance attack on Balancer in the DeFi Summer era of 2022. By controlling a large number of BAL governance tokens and relying on Balancers veBAL mechanism, it controlled most of BALs incentive release to the liquidity pool, thereby forming control over Balancer. So far, humpy has become the second largest holder of BAL tokens, second only to the official team.

In-depth analysis of the details and purpose behind the Compound governance attack - Whales take over the old DeFi again

Messari has a very interesting research report about this classic event . Interested friends can read it in detail. I don’t know how many friends are familiar with Balancer’s veBAL mechanism. Let me briefly review it here. It was DeFi Summer at that time. The innovation direction of various products was centered on how to achieve growth by designing a good tokenomics. Curve, as a core DEX of stablecoin at that time, took the lead in launching the veCRV mechanism as its own tokenomics, and then achieved considerable results. Therefore, veToken became a popular design paradigm for tokenomics of DEX products at that time.

Balancer, one of the star projects of the same type, happened to encounter an innovation bottleneck at the time, so it also chose to follow up and launched its own veBAL mechanism. The essence of this mechanism is to adjust the allocation of a competitive resource within the product through voting governance, thereby creating a wide range of vote-buying scenarios, bringing benefits to those who participate in governance, and then stimulating the enthusiasm of the community to actively participate in product co-construction, and also finding a suitable value support for governance tokens. At that time, the market generally used governance to extract value to describe it.

In the DEX track, this competitive resource specifically refers to the liquidity incentive rewards of governance tokens allocated by the official to the liquidity pools running on it. The proportion of rewards allocated to different liquidity pools is determined by the voting governance method. If you want to obtain voting rights, you must lock your governance tokens for a long period of time, which reduces the circulation in the market and is conducive to the growth of market value. Whichever liquidity pool receives more votes will be allocated more BAL incentives, so that third-party projects can choose to use their tokens to bribe users with veBAL voting rights in order to stimulate the liquidity growth of their own tokens. Of course, this process is generally implemented by special DAPPs. However, there is a hidden danger in the design of Balancers veBAL that was discovered and exploited by Humpy.

We know that for DEX, its core business model is transaction fees. In order to attract more traders to use their products, DEX tries every means to increase its liquidity and attract users through low slippage trading experience. Therefore, the design of veBAL cannot be separated from this core goal, that is, to increase the fee. However, in its original design, it did not restrict the type of liquidity pool, but only depended on the total number of votes obtained by the pool. This brought a problem. As long as a pool can obtain enough veBAL votes through some means, it can obtain a larger proportion of BAL liquidity incentives, even if the pool has no trading volume. This creates space for whales, so Humpy came.

Humpys core attack idea is divided into two parts. First, it needs to obtain absolute control over the liquidity of a certain pool, so that it can obtain most of the rewards in the process of liquidity mining. Second, it needs to obtain a huge number of tickets for the pool it controls and control most of the BAL incentive allocation. In this way, it can achieve control over the protocol. Therefore, the first choice is to build positions in the tokens of projects with inactive trading but inflated market value to reduce potential competitors. Second, it establishes a liquidity pool with super high handling fees (1%) to reduce users willingness to trade, so as to reduce the willingness of potential LPs attracted by handling fees to participate. Through such means, it has completed absolute control over a certain liquidity pool. Next, it purchases a large number of BAL tokens through the secondary market, pledges them to obtain veBAL, and votes for its own liquidity pool to obtain most of the BAL allocation. However, such incentive release does not make Balancer better, because no more handling fees are stimulated, but it only makes Humpy cheaper. This is the so-called divergence between the interests of the whales and the long-term development direction of the project, which can only bring contradictions.

In actual implementation, the official team of Balancer did not sit idly by, but countered Humpys vampire attack through new proposals. For example, the scope of the pools that receive liquidity incentives is specified, and the operation of expanding the scope needs to be approved by the official application before it can be passed, and an upper limit is set for the proportion of rewards that can be allocated to a single pool. However, after a series of confrontations, Balancer and Humpy finally reached a settlement, but from the results, it did not prevent Humpy from gradually achieving control over Balancer through this means, and the fact that he is the second largest holder is the most direct result. This also laid the groundwork for its recent attack on Compound.

By forcibly seizing the governance rights of a large amount of idle COMP in Compound Treasury,

The above incident happened in 2022. After two years of silence, Humpy started to seize another old DeFi. This is what happened recently. This time it has nothing to do with veBAL, but is aimed at the governance rights corresponding to the large amount of idle COMP in the Compound Treasury.

This time, it did not directly participate in the entire game, but operated by packaging a project called Golden Boys (of course, it can also be called an organization). The project is actually a meme with financial attributes. What does it mean? Its core product is an ERC-20 token called $GOLD. However, the official has given its holders some expectations other than cultural attributes. The introduction of the entire official website and blog emphasizes one point, that is, the value of $GOLD is maintained by Humpy, the giant whale, with many years of experience and a lot of capital and resource advantages. Holding $GOLD is equivalent to standing on the back of a giant whale. But in fact, he does not have some structured financial management, or product designs such as income aggregation. He only allocates some liquidity incentives for $GOLD and some mainstream tokens. Some of these incentives are directly issued $GOLD, and of course some are BAL rewards. This is naturally because of Humpys influence on Balancer, and through the huge amount of veBAL he owns, he allocates relatively high liquidity mining to it (it is really a bit difficult to be possessed after studying this).

In-depth analysis of the details and purpose behind the Compound governance attack - Whales take over the old DeFi again

After preparing all this, it created a new Vault product called goldCOMP Vault. Simply put, users can pledge their COMP into this Vault to transfer their governance rights to the Golden Boys and obtain a pledge certificate called goldCOMP, which is a tradable certificate. Users can provide this certificate as liquidity to the 99 goldCOMP-1 WETH liquidity pool in Balancer, where 99 and 1 are the corresponding weights, which basically means that the transaction slippage of goldCOMP is extremely low and there is basically no impermanent loss.

In-depth analysis of the details and purpose behind the Compound governance attack - Whales take over the old DeFi again

After staking liquidity, you can get $GOLD liquidity incentives. Note that the reward here is not BAL, but GOLD. This is naturally because choosing GOLD as an incentive is more conducive to the Golden Boys controlling the interest rate of the pool, anyway, it is all controlled by themselves. The current interest rate level is 180%, of course, the TVL is not high. But what I don’t know is when Balancer will support third-party tokens to be directly displayed as staking incentives on the official website. Because I haven’t followed up on the progress of the project for a while. If it is not an official operation that can be publicly set, I can only sigh again about the helplessness of being possessed!

In-depth analysis of the details and purpose behind the Compound governance attack - Whales take over the old DeFi again

After preparing these, GoldenBoys began to attack Compounds governance. It first launched the first proposal in May this year. The content of the proposal was to apply to transfer 5% of the COMP controlled in the Compound Treasury, that is, 92,000 COMP, to the multi-signature wallet of Golden boys, and pledge it to the goldCOMP Vault through the multi-signature wallet, and earn liquidity mining income, locked for one year. Of course, in this process, Golden Boys went for the governance rights transferred behind these tokens. There is no doubt that the proposal was not passed, because this interoperable object is really a bit rudimentary and has no actual business support, and the entire operation after the token is allocated is based on the multi-signature wallet, which makes it more likely that human evil will be committed. Therefore, it has also caused widespread denial in the community.

In-depth analysis of the details and purpose behind the Compound governance attack - Whales take over the old DeFi again

But Humpy was not discouraged, but chose to confront community members. He believed that these problems could be alleviated as long as the entire process was approved by the Compound timelock contract to approve the use of the token by any multi-signature wallet. Therefore, a second proposal was launched on July 20. The amount of the application remained unchanged, but an additional operation was added to achieve the above effect by setting up a Trust Setup contract, thereby realizing the supervision of the multi-signature wallet. However, the author actually read the code of the contract and simply set three states. When Compound timelock modifies the state of the contract to allow investment, the multi-signature wallet can use these tokens at will. Of course, this proposal was also rejected, but it can be seen that the number of votes in favor has increased significantly. This seems to give people an illusion that the Golden Boys are really constantly optimizing the proposal and have gained more and more consent. Until today, the passage of the third proposal has stunned everyone.

In-depth analysis of the details and purpose behind the Compound governance attack - Whales take over the old DeFi again

Everyone should note that there is a core difference in the proposal that was passed today. The amount of COMP funds applied for this proposal is no longer 92,000, but an exaggerated 499,000. However, this time, the community was confident that it would easily defeat Humpys conspiracy, but the result was shocking. The proposal was passed with a slight advantage, and the support votes increased by 6 times in just ten days, which was obviously unexpected by the community. And this is obviously a carefully planned operation by Humpy. If nothing unexpected happens, with the passage of this proposal, Humpy will actually become the owner of Compound and dominate any proposal. Considering that its current chip amount is enough to surpass its opponent, plus the voting rights corresponding to the newly acquired 499,000 COMP, Compound will undoubtedly be seized.

In-depth analysis of the details and purpose behind the Compound governance attack - Whales take over the old DeFi again

The impact of this incident is unprecedented. Any DeFi product needs to re-monitor its governance model to prevent similar problems. I will continue to pay attention to the next developments. I believe that the Compound community will also rise up to fight. How the conflict will eventually develop is hard to say with the previous experience of Balancer.

Original article, author:马里奥看Web3。Reprint/Content Collaboration/For Reporting, Please Contact report@odaily.email;Illegal reprinting must be punished by law.

ODAILY reminds readers to establish correct monetary and investment concepts, rationally view blockchain, and effectively improve risk awareness; We can actively report and report any illegal or criminal clues discovered to relevant departments.

Recommended Reading
Editor’s Picks