Introduction

As blockchain technology rapidly evolves, decentralized governance models have become the backbone of distributed networks. They offer community members equal opportunities to participate in decision-making, giving them a say in the future direction of protocols. However, this also leads to the increasing threat of governance attacks.

The recent attack on Compound exemplifies this risk. This article provides an in-depth look at how such attacks occur, their various forms, and the risks they present, as well as how we can address these challenges through both technical and community-level improvements.

What is Governance?

In the cryptocurrency space, governance refers to managing changes to blockchain protocols through voting. Typically, developers or community members propose changes, which token holders then vote on. If a proposal garners enough support and meets the quorum requirement, it gets implemented; otherwise, it is rejected.

Unlike traditional organizations that rely on centralized management, governance mechanisms are tied closely to the concept of Decentralized Autonomous Organizations (DAOs), which use smart contracts and governance tokens to promote broad community participation and autonomy.

How DAOs Differ from Traditional Organizations

What is a Governance Attack?

While governance mechanisms offer potential benefits for decentralization, they also have exploitable weaknesses.

For instance, voting power is directly linked to token holdings, enabling large holders, or “whales,” to propose changes that benefit them and manipulate voting outcomes. Additionally, any token holder can submit proposals, leading to an influx of low-quality or malicious suggestions. Furthermore, the complexity of governance proposals often discourages ordinary users from participating, allowing a small group to control decision-making.

Governance attacks take advantage of these vulnerabilities by manipulating decentralized protocols—attackers can acquire enough voting power or sway token holders to push through favourable proposals or even take control of the protocol. Such attacks have become increasingly common in the crypto space, posing serious threats to the security and stability of protocols.

Main Forms of Governance Attacks

Voting Manipulation
This is one of the most prevalent types of governance attacks, where attackers manipulate decisions by amassing a large number of governance tokens.

To carry out this attack, operators often buy up enough tokens in advance or may use flash loans to quickly gain significant voting power for specific decisions, only to repay the loans immediately afterwards.

When attackers secure over 50% of the voting power, they gain significant control, enabling them to bypass decentralized governance and implement changes unilaterally—like altering economic parameters at will or crippling the entire protocol.

This highly destructive form of attack allows for manipulation of governance without the need for long-term token holdings, often occurring when token prices are low and making it easier to acquire large amounts quickly.

Proposal Hijacking
Proposal hijacking is a deceptive method where attackers submit proposals that appear legitimate but contain hidden flaws harmful to the system. These proposals often aim to adjust economic parameters to favour the attackers, who then use their voting power to influence outcomes. Successful execution of this strategy requires attackers to have a thorough understanding of the protocol and sufficient community backing for their proposals to pass.

Although some proposals may seem designed to optimize the protocol, their implementation can lead to serious governance risks. By exploiting the trust within the governance system, attackers can circumvent standard safeguards, exposing the protocol to vulnerabilities and financial losses, and potentially leading to a complete breakdown of control. The $25 million governance attack on Compound serves as a notable example, where attackers submitted a seemingly benign proposal with the real goal of diverting protocol funds to accounts under their control.

Introduction to Compound Protocol

Project Overview
Compound is a groundbreaking DeFi protocol built on Ethereum, co-founded by Robert Leshner and Geoffrey Hayes in 2018. This protocol allows users to deposit cryptocurrencies to earn interest or to use assets as collateral to borrow other assets.

As a leading lending platform, Compound uses supply and demand algorithms to set interest rates, enabling users to seamlessly trade the time value of Ethereum assets. This has attracted significant investment and has greatly advanced the decentralized lending market, leading to its nickname as “the bank of the blockchain world.”

Compound Protocol Logo

Operational Principle of Compound Protocol
The role of the Compound protocol is to fill the funding gap between lenders with idle funds and borrowers with borrowing needs. First, depositors deposit their digital assets into the protocol’s asset pool, and borrowers can then borrow funds from this asset pool with a certain proportion of collateral.

For example, after a user collateralizes digital assets, they receive equivalent tokens as a deposit certificate, which can also be used for future redemption. Once depositors deposit their digital assets into Compound’s asset pool, they begin to earn interest, which accumulates based on the amount invested and is calculated and updated with each Ethereum block generated, so users’ overall returns increase with the generation of blocks.

Simplified Overview of How the Compound Protocol Works

Introduction to COMP Token

Token Functionality
COMP is the ERC-20 governance token created by Compound, serving as the protocol’s native cryptocurrency. It allows users to participate in the decentralized governance of Compound, giving token holders the ability to discuss, propose, and vote on protocol changes.

COMP tokens are distributed for free to users who interact with the Compound protocol through a “lend-to-mine” mechanism, meaning users earn COMP whenever they deposit or borrow. The more they borrow, the more COMP they receive.

During its issuance phase, 4,229,949 COMP tokens were locked in a smart contract designated as a “reserve,” distributing 0.5 COMP from each Ethereum block (about 2,880 COMP daily), with a complete distribution expected over four years. These tokens are allocated based on the interest generated by different lending markets (like ETH, and DAI), with half going to asset providers and half to borrowers, boosting market liquidity.

In terms of governance, holders of COMP tokens can participate by proposing ideas, voting, and adjusting protocol parameters, with voting power directly tied to the number of tokens held—more tokens mean greater influence.

Latest COMP Token Price

Token Decision-Making Process
The proposal and decision-making process for the Compound protocol involves several steps:

First, anyone holding less than 1% of the total COMP supply can submit a proposal. If it gains enough support and reaches a threshold of 100,000 delegated votes, it can become an official governance proposal (all proposals must be executable code).

Next, the voting period lasts about 3 days, during which COMP holders can vote.

If a proposal receives over 50% support and surpasses the minimum vote requirement, it passes.

Once approved, it goes into a 2-day Timelock contract delay to give the community time to respond.

Proposal Decision-Making Process of the Compound Protocol

Pros and Cons of the Compound Mechanism

Pros

1. Decentralized Governance

Compound has a fully decentralized governance model, putting decision-making power in the hands of many COMP holders. This includes important decisions related to lending, liquidation, and voting, ensuring that the protocol’s direction relies on community involvement rather than just the development team.

1. Strong User Engagement

The COMP token links user interests with the growth of Compound, encouraging most holders to also be active users. When COMP’s price increases, users benefit, leading to more active participation, which in turn drives up capital and COMP value, creating a positive feedback loop.

Cons

1. No Clear Accountability

Decentralized governance means there is no single responsible party. This can make it difficult to assign blame for poor decisions or misconduct, leading to uncertainty in governance.

1. Centralization of Governance Tokens

Large holders and teams own nearly 50% of COMP tokens, concentrating voting and decision-making power, which can undermine the fairness of decentralized governance and favor the interests of larger stakeholders.

1. Inefficient Decision-Making

In a fully decentralized system, every proposal requires community discussion and voting, which can be time-consuming and inefficient, leading to voter fatigue and reduced participation in governance.

The Rise and Fall of Compound Controversy

Key Controversy Event
On July 29, 2024, Compound passed Proposal 289, transferring 499,000 COMP tokens (worth around $25 million, or 5% of its treasury) to an unmonitored multisig address, raising significant community concerns.

The proposal intended to allocate these tokens over a year to the goldCOMP yield protocol controlled by the “Golden Boys” team, with accusations that its approval was manipulated by stakeholders behind “Golden Boys.”

Proposal Decision-Making Process of the Compound Protocol

Humpy, a prominent “whale” in the DeFi community, attempted to seize governance control of idle COMP tokens in the Compound treasury. Fortunately, despite initial approval of the proposal, after 48 hours of intense negotiation and community discussion, it was ultimately withdrawn, leading to a new yield redistribution plan that improved the protocol’s effectiveness and yielded returns for the community.

Timeline Overview: The Build-Up to the Controversy

• May 6
  Proposal 247 initially suggested “investing 5% of the treasury’s COMP (499,000 tokens) into goldCOMP,” designed by the Golden Boys team. It was canceled due to insufficient voter participation.

Screenshot of Proposal 247

• Mid-May
  OpenZeppelin, a security firm, warned in community forums that this proposal might be a governance attack, citing the proposer’s identity was unknown and it hadn’t been discussed with the community beforehand; the governance account Wintermute also expressed concerns about the proposal’s transparency.

• July 15
  Proposal 279 suggested “creating a trust for DAO investment in goldCOMP,” proposing to transfer 92,000 COMP tokens to the goldCOMP protocol for one year, but was canceled for failing to meet voting requirements.

Screenshot of Proposal 279

• July 24
  Proposal 289 reintroduced the idea of “investing 499,000 COMP tokens into goldCOMP for a year,” prompting ongoing concerns about potential governance attacks.

Public Discussion and Questions by Compound Community Members

• July 29
  Proposal 289 was approved with 682,000 votes for and 633,000 against. Due to the lack of public discussion and concerns over asset security, it triggered widespread controversy. Compound security advisor Michael Lewellen highlighted that multiple accounts had been observed buying COMP tokens to sway voting, suggesting some were exploiting the DAO governance for personal gain.

Screenshot of Proposal 289

• July 30
  Humpy was accused of using voting power to transfer $25 million worth of COMP tokens from Compound’s treasury to the goldCOMP-controlled treasury. Subsequently, the governance token issued by the Golden Boys community, GOLD, doubled in price, increasing by over 46%.

Final Resolution: Achieving Settlement
The controversy has settled, with Compound settling with Humpy. Specifically, Humpy will forgo claims to the COMP tokens involved in the proposal; in exchange, Compound will allocate 30% of its new annual revenue to COMP token holders, while these earnings were previously controlled by the team.

The success of the attack operation caused related tokens from “Golden Boys” to surge in price, and COMP tokens officially became a “yield bearing asset.” However, the proposal did not provide any real benefits to the Compound protocol and weakened its control over certain reserves, leading it to be classified as a governance attack. Humpy, through this governance struggle, ultimately prompted reforms within the Compound protocol.

Humpy’s Statement on Social Media After the Incident

Multidimensional Risks of Governance Attacks

Governance attacks present a range of risks that can be categorized into short-term and long-term concerns, outlined as follows:

Short-Term Threats

a. Risk to Protocol Security

The immediate effect of governance attacks poses a significant threat to the security of the protocol’s funds, especially in proposals related to fund allocation. Attackers may submit harmful proposals or manipulate voting processes, introducing vulnerabilities to the protocol, altering smart contract code, or even causing system outages or asset freezes. This undermines market confidence and places enormous pressure on both users and developers.

b. Depreciation of User Assets

Another quick consequence is the sharp decline in token prices, resulting in rapid depreciation of user assets. When the market realizes that the protocol’s governance structure is under attack, panic selling often ensues, causing significant market fluctuations and impacting the value of user assets. For instance, during the recent Compound token transfer incident, the price of COMP fell nearly 30% in a week, from $53.6 to $37.9. Additionally, some attackers may directly manipulate smart contracts, leading to the loss or misappropriation of user funds, resulting in considerable economic damage.

COMP Token Price Drops 30% in Just One Week

Long-Term Damage

a. Erosion of Platform Reputation

Governance attacks can cause not just immediate asset losses but, more critically, can damage user and community trust in the protocol, threatening its long-term viability and growth. The success of decentralized protocols depends on user trust and broad participation; if manipulation occurs, users and investors may question the protocol’s fairness and transparency, leading to decreased engagement or withdrawal of investments, ultimately harming the protocol’s standing in the market and creating lasting negative effects on its future.

b. Threat to DeFi Ecosystem Stability

On a deeper level, a successful governance attack reveals weaknesses in the protocol’s governance structure and design, raising concerns about its long-term security and reliability. If not effectively addressed, it may lead to more similar attacks, challenging the credibility of related protocols within the broader DeFi ecosystem. Moreover, frequent governance attacks could prompt regulators to tighten scrutiny and intervention, heightening compliance and operational risks. If this creates community distrust in the governance model’s effectiveness, it could further undermine the overall stability of the ecosystem and pose ongoing threats to project development.

Strategies to Combat Governance Attacks

Although Humpy’s actions complied with community rules, this incident highlighted significant issues within decentralized DAO governance: individual users can manipulate votes for personal gain, emphasizing the need for stronger governance strategies to prevent such abuses.

To that end, the following strategies are proposed as potential measures to mitigate the risks of governance attacks.

Technical Safeguards

Enhance Governance Mechanisms: Implement multi-signature and delayed execution mechanisms to prevent harmful proposals from being enacted without thorough vetting. Additionally, perform regular audits and security checks on smart contracts to identify and resolve vulnerabilities in governance processes.

Voting Decay Mechanism: Introduce a mechanism that reduces the weight of votes cast at the last moment, preventing sudden shifts in outcomes and ensuring a fair governance process; or implement a time-lock feature that prevents newly acquired tokens from being used for voting for a specified period.

Veto Power for Community Members: Give certain community members the authority to veto proposals, allowing sufficient time for community responses to malicious proposals.

Community-Level Improvements

Enhance Governance Transparency: The community should increase the transparency of information sharing to limit opportunities for manipulation and help members understand proposal details and implications, encouraging greater participation and enhancing community oversight.

Streamline Decision-Making Processes: Adopt a time-weighting approach to prevent last-minute voting manipulation. Additionally, establish a governance committee or arbitration body to review major proposals before their approval, ensuring their fairness and reasonableness.

Conclusion

The prevalence of governance attack incidents illustrates the challenges faced by decentralized organizations in their pursuit of democratization. While the ideal of self-governance grants community members equal rights, this openness also makes decentralized governance mechanisms vulnerable to malicious attacks.

To address these governance attacks, developing comprehensive preventive measures—such as implementing multi-signature and voting decay mechanisms—is essential. However, improving governance structures is not a quick fix; it requires ongoing exploration and innovation by protocol developers, community members, and the entire blockchain ecosystem to foster the long-term healthy development of the blockchain world.