What is Governance Attack: An Analysis Based on Compound

Preface

In the current rapid development of Blockchain technology, the Decentralization governance model, as the core mechanism of the distributed network, provides community members with equal opportunities for participation and decision-making, empowering them with influence over the future of the protocol, but also making governance attacks an increasingly common security threat.

The recent Compound governance attack is a typical case of such attacks. This article provides an in-depth analysis of its occurrence mechanism, attack forms, the multiple risks it brings, and discusses how to address similar challenges through technical and community-level improvement measures.

What is governance?

In the encryption industry, governance refers to the behavior of implementing modifications to the blockchain protocol through voting management. During the governance process, proposals are usually put forward by developers or community members, and then voted on and decided upon by Tokenholders based on the proposal content. Finally, if the proposal receives sufficient support and meets the quorum requirement, the relevant changes will take effect; otherwise, the proposal will be rejected.

Unlike traditional organizations that rely on centralized management structures, governance mechanisms are closely related to the concept of Decentralized Autonomous Organizations (DAO), which achieve decentralized management through smart contracts and governance tokens to facilitate broad participation and self-governance of community members.

Figure 1: DAO is different from traditional organizations

What is a governance attack?

Although the above governance mechanisms have the potential benefits for the future of Decentralization, there are also some easily abused flaws,

First, because the voting weight is directly related to the amount of Token held, a 'Whale' holding a large amount of Token can propose and manipulate the voting results in their favor; in addition, any member holding a sufficient amount of Token has the right to submit a proposal, which may lead to a large number of low-quality or even malicious proposals; furthermore, governance proposals usually involve complex technology, resulting in low participation of ordinary users, making it easier for a few people to control the direction of decision-making.

And governance attacks, which exploit these vulnerabilities to manipulate the Decentralizationprotocol's attack behavior - attackers gain enough voting power or manipulate the voting behavior of holders to forcefully promote proposals that benefit themselves, or even seize control of the protocol. In recent years, this type of attack has been frequently seen in multiple Cryptocurrency projects, posing a serious threat to the security and stability of the protocol.

The main way to govern attacks

a. Vote Manipulation

One of the most common forms of governance attack is when an attacker manipulates the governance decisions of a protocol by holding a large amount of governance tokens.

The operator who carries out this attack usually buys a sufficient number of Tokens in advance, and may even borrow a large number of Tokens within a Block through flash loans to quickly obtain voting rights or make specific decisions, and then immediately repay the loan after the transaction is completed.

Once an attacker controls an absolute decision-making advantage by controlling more than 50% of the voting power, the attacker can bypass the design framework of decentralized governance and directly exercise centralized control over the protocol through any proposal without the support of other participants, such as arbitrarily changing the economic parameters of the protocol, or even causing the entire protocol to become paralyzed. This is a highly destructive form of governance attack.

This strategy does not require attackers to hold a large number of tokens for a long time, but uses high voting power in a short period of time to manipulate governance. It is important to be aware that this type of attack often occurs when token prices are low, when acquiring a large number of tokens is cost-effective and easier to implement.

b. Hijacking proposal

Proposal hijacking is a deceptive attack method, in which the attacker submits a seemingly reasonable proposal, but actually conceals harmful vulnerabilities to the system, or proposes adjusting economic parameters to maximize their own interests, and then uses their voting power to influence decision-making. The core of such operation lies in that the attacker not only needs a deep understanding of the protocol, but also needs to gain sufficient community support to ensure the smooth passage of the proposal.

Although some proposals may seem to optimize the protocol, once implemented, they can pose a significant threat to the organization's governance. Attackers cleverly exploit the trust mechanism of the governance system, bypassing conventional defense measures, which may expose the protocol to security vulnerabilities and economic losses, and even face the risk of complete loss of control. The 25 million dollar governance attack suffered by Compound mentioned in this article is a typical example of this type of attack, where the attacker submits a seemingly normal proposal, but the actual purpose is to transfer protocol funds to an account under their actual control.

Introduction to Compound Protocol

Project Basic Information

Compound is a groundbreaking Decentralized Finance protocol based on Ethereum, co-founded by Robert Leshner and Geoffrey Hayes in 2018. The protocol allows users to earn interest by depositing encryption assets or borrow other assets by collateralizing their assets.[1]

As a leading world-class lending platform, Compound sets Intrerest Rate based on supply and demand Algorithm, allowing users to exchange the time value of Ethereum assets without friction, attracting a large amount of user funds and greatly promoting the development of the Decentralization lending market, known as the "bank of the blockchain world".

Figure 2: CompoundprotocolLOGO

How Compound protocol works

The role of Compound protocol is to fill the funding gap between lenders with idle funds and borrowers with borrowing needs. Depositors first deposit their digital assets into the protocol's asset pool, and borrowers then borrow funds from the pool by collateralizing a certain proportion.

For example, users will receive equivalent tokens as deposit certificates after pledging digital assets, and these certificates can be used for future redemption. Once the depositor deposits their digital assets into Compound's asset pool, they will start earning interest. The interest is accumulated based on the amount invested and is calculated and updated every ETH block generation, so the overall earnings of users will continue to increase with the generation of blocks.

Figure 3: Operation demonstration of Compoundprotocol

Introduction to COMP Token

Token function

COMP is the ERC-20 governance Token launched by Compound, and also the native Cryptocurrency of the protocol, enabling users to govern the Compound protocol in a decentralized manner, while holders have the right to discuss, propose, and vote on changes to the protocol.【2】

In the distribution of Tokens, COMP Tokens are distributed for free to users of the Compound protocol through the mechanism of "Borrowing is Mining". Every time users interact with the protocol (depositing or borrowing), they will receive COMP Tokens, and the larger the borrowing amount, the more COMP they will receive.

During the protocolissuance phase, 4,229,949 COMP Tokens are locked in a 'reservoir' Smart Contract, and 0.5 COMP (approximately 2880 COMP per day) are released per ETH block, expected to be distributed over 4 years. These Tokens are allocated based on the Interest generated by each lending market (such as ETH, DAI, etc.), with 50% allocated to asset providers and 50% allocated to borrowers, in order to enhance market Liquidity.

In terms of governance, COMP Token holders have the right to participate in the governance of the protocol, including proposing proposals, voting, and adjusting protocol parameters, and the voting weight is directly linked to the amount of tokens held—the more COMP held, the greater the user's influence in voting.

Figure 4: Latest COMP Token Price

Token decision mechanism

The proposal and decision implementation of the Compound protocol usually follow the following processes:

First of all, autonomous proposals allow anyone with less than 1% of the total COMP to deploy a proposal; if the proposal receives sufficient support and reaches the threshold of 100,000 delegated votes, it can be transformed into a formal governance proposal (all proposals must be submitted as executable code);

Next, the voting period usually lasts for 3 days, during which users holding COMP tokens can vote on proposals;

If the proposal receives more than 50% support and exceeds the minimum threshold, the proposal is considered passed;

After the proposal is passed, it will enter a 2-day Timelock contract latency execution phase to ensure that the community has enough time to react.

Figure 5: Compound protocol proposal decision process

Pros and cons of the Compound mechanism

I. Advantages:

1. Decentralization Governance

Compound has achieved full Decentralization governance, placing governance power in the hands of thousands of COMP holders, including decisions on borrowing, liquidation, and voting, ensuring that the protocol's decisions do not depend on the development team, but are jointly participated in and decided by the community.

2. User binds with protocolDepth

The COMP token closely integrates user benefits with the development of Compound, and the collateral mechanism makes most holders also users. When the COMP price pumps, users benefit and become more actively involved, promoting the expansion of funds and the increase in COMP value, forming a virtuous cycle.

II. Disadvantages

1. No specific person responsible

Decentralized governance means that there is no single person responsible, making it difficult to vesting responsibility for decision-making errors or illegal behavior, leading to potential liability dispersion and governance uncertainty.

2. Centralization of governance tokens

Large Investors and the team hold nearly 50% of COMP tokens, leading to a high concentration of voting and decision-making power, which may weaken the fairness of Decentralization governance and lead to decisions that favor the interests of Large Investors.

3. Low decision-making efficiency

Under the governance model of complete Decentralization, each proposal needs to go through community discussion and voting for decision-making, which takes a long time and is inefficient, and may lead to holder fatigue, no longer actively participating in the governance process.

The ins and outs of the Compound storm

Core Controversial Event

On July 29, 2024, the well-known lending protocol Compound passed Proposal 289, transferring 499,000 COMP tokens (worth about $25 million, accounting for 5% of Compound's treasury funds) to an unknown and unmonitored multi-sig Address, which has caused widespread questioning within the community.

According to the proposal, this batch of COMP tokens will be distributed within a year to the income protocolgoldCOMP controlled by the 'Golden Boys' team. The controversy lies in the accusation by community members that the approval of this proposal was manipulated by vested interests behind the 'Golden Boys'.

Figure 6: GoldCOMP User Interface

The main manipulator of this attack, Humpy, a well-known 'Whale' large Token holder in the Decentralized Finance community, attempted to take control of the idle COMPToken governance rights in the Compound Treasury attack. Fortunately, although this proposal was approved in the initial voting stage, after 48 hours of intense negotiations and community discussions, the proposal was eventually revoked and a new revenue redistribution plan was announced, ultimately helping the community develop a more effective protocol and bringing returns to the community.

Timeline Review: Brewing Behind the Storm

• May 6th: Proposal 247 first proposed to "invest 5% of the Treasury's COMP (499,000 Tokens) in goldCOMPprotocol", designed by the Golden Boys team. Due to the number of voters not reaching the statutory number, the proposal was canceled. [3]

Figure 7: Screenshot of Proposal 247

• Mid-May: Security company OpenZeppelin has warned on the community forum that this proposal may be a governance attack, with the identity of the proposer unknown and not previously discussed in the community; Governance account; Wintermute also expressed opposition, questioning the transparency and legality of the proposal.

• July 15th: Proposal 279 once again proposed the establishment of a trust for DAO investment in goldCOMP, suggesting the transfer of 92,000 COMP tokens to the goldCOMP protocol for one year. The proposal was also canceled due to not reaching the required number of votes.

Figure 8: Screenshot of Proposal 279

• July 24th: Proposal 289 re-proposes the content of 'investing 499,000 COMP tokens in the goldCOMP protocol for a period of one year', which has raised concerns among Compound security advisors and community members about the potential for governance attacks.

Figure 9: Compound community members openly discuss and question

• July 29th: Proposal 289 was approved with 682,000 votes in favor and 633,000 votes against. The proposal sparked extensive controversy due to the lack of public discussion and the potential risk to asset security. Compound security advisor Michael Lewellen pointed out that multiple accounts were heavily buying COMP tokens in the market and manipulating the voting direction, raising suspicions that certain users were exploiting the DAO governance process for personal gain.

Figure 10: Proposal screenshot 289

• July 30: WhaleHumpy was accused of using voting power to transfer COMPTokens worth $25 million from Compound's vault to the vault controlled by the goldCOMP protocol. As a result, the governance token GOLD issued by the Golden Boys community doubled in price, rising more than 46%.

Final processing result: reached a settlement

Currently, the dispute has been settled, and the Compound community has also reached a reconciliation protocol with Humpy. The specific content is: Humpy will give up the COMP token requirement mentioned in the previous proposal; in exchange, Compound protocol will allocate 30% of the annual additional total revenue to COMP token holders, whereas previously these revenues were controlled by the team as market reserves.

Due to the successful attack operation, the price of the "Golden Boys" related Token quickly pumped, and at the same time COMPToken officially transformed into a "yield-type asset". However, considering that this proposal did not bring any substantial benefits to Compoundprotocol, but instead weakened its control over some reserve assets, it was deemed as a governance attack. Humpy, on the other hand, promoted the transformation of Compoundprotocol in this governance game.

Figure 11: After the incident, Humpy spoke out on social media [4]

Multidimensional Risks of Governance Attack

The panorama of risks brought by governance attacks includes two dimensions: short-term and long-term, summarized as follows:

I. Short-term Threats

a. Endangering protocol安全

The direct impact of governance attacks is to threaten the security of the protocol's funds, especially in proposals involving fund allocation. Attackers of this type often introduce harmful vulnerabilities to the protocol by submitting malicious proposals or manipulating the voting process, tampering with Smart Contract code, and even causing system paralysis or asset freezes, damaging market confidence and creating immense pressure on users and developers.

b. User asset depreciation

Another immediate consequence is the big dump of Token prices, which leads to the rapid depreciation of user assets. When the market realizes that the governance structure of the protocol has been attacked, investors often panic and dump the Token, causing a significant fluctuation in market prices and affecting the value of user assets. For example, in the recent Compound Token transfer incident, the price of COMP fell nearly 30% in seven days, from $53.6 to $37.9. In addition, some attackers may even directly manipulate the Smart Contract, causing users' funds to be transferred or lost, resulting in huge economic losses.

Figure 12: COMP token price big dump 30% in a week

II. Long-term damage

a. Depth destroys platform reputation

Governance attacks not only result in short-term asset losses, but more importantly, they undermine users' and communities' trust in the protocol, threatening the protocol's long-term survival and development. The success of Decentralization protocol depends on users' trust and broad participation. Once there is manipulative behavior, users and investors will doubt the fairness and transparency of the protocol, which may reduce their activities on the platform or withdraw their investments, causing the protocol's market position to decline and forming a persistent negative impact on its future development.

B. Threatens the stability of the Decentralized Finance ecosystem

From a deeper perspective, a successful governance attack exposes the inherent flaws in the governance structure and mechanism design of the protocol, revealing potential shortcomings in its long-term security and reliability. Without effective prevention, it may lead to more similar attacks in the future, questioning the position of the related protocol in the entire Decentralized Finance ecosystem. In addition, frequent governance attacks will prompt regulatory agencies to strengthen scrutiny and intervention, further increasing compliance and operational risks. Once this risk triggers a community's distrust in the effectiveness of its governance model, it will weaken the stability of the entire ecosystem and pose a persistent threat to the long-term development of the project.

Strategies to Counter Governance Attacks

Despite WhaleHumpy's behavior complying with community rules, the incident still exposed the underlying issues in DecentralizationDAO governance: individual users can improperly profit by manipulating votes, emphasizing the importance of establishing more robust governance strategies to prevent abuse.

To this end, this article provides the following strategies as a reference for intervening in such governance attack risks.

1. Technical Prevention:

Improve governance mechanisms: adopt multi-signature and latency execution mechanisms to prevent malicious proposals from taking effect rapidly without sufficient review and discussion; in addition, conduct smart contract audits and security reviews to promptly identify and fix potential vulnerabilities in governance mechanisms.

Voting Decay Mechanism: Introducing a voting decay mechanism to limit the weight of votes cast at the last minute, prevent sudden reversals of results, and ensure the fairness of the governance process; or introducing a time lock mechanism to prevent newly purchased tokens from being used for voting for a period of time.

Introduction of Veto Power: Granting specific community members the power to veto proposals, giving the community enough time to react and respond to malicious proposals.

2. Community-level improvement measures:

Improve governance transparency: The community should enhance the openness and transparency of information disclosure, reduce the opportunity for malicious manipulation, help community members fully understand the content and impact of proposals, increase the enthusiasm of members to participate, and enhance the community's supervisory capabilities.

Optimize the decision-making process: adopt a time-weighting mechanism to prevent last-minute vote manipulation. At the same time, a "governance committee" or "arbitration body" can be established to review major proposals before they are approved, ensuring the fairness and reasonableness of the proposal, 01928374656574839201.

Conclusion

The frequent occurrence of governance attacks reveals the challenges faced by Decentralization organizations in the process of pursuing democratization. Although the idealized autonomous mode endows community members with equal management rights, its openness also makes the Decentralization governance mechanism an easy target for malicious attacks.

In response to these governance attacks, developing more comprehensive preventive measures has become an important task for Decentralized Autonomous Organizations, such as the introduction of mechanisms like Multi-signature and voting decay. However, the improvement of governance structures is not an overnight process and requires continuous exploration and innovation from protocol developers, community members, and the entire blockchain ecosystem to promote the long-term healthy development of the future blockchain world.

Reference

1.https://decrypt.co/resources/compound-defi-ethereum-explained-guide-how-to 2. https://coinmarketcap.com/currencies/compound/ 3. https://compound.finance/governance/proposals 4.https://x.com/Titanium_32