The Compound Finance Governance Attack: A Recap and Its Implications

1. Introduction

The DeFi (Decentralized Finance) ecosystem is facing new challenges alongside its rapid growth. Compound Finance, which emerged in 2018, gained significant attention as a pioneer of the DeFi revolution by innovatively providing cryptocurrency lending and deposit services. However, after the initial explosive growth, Compound and many other DeFi projects faced issues such as token value depreciation and governance vulnerabilities.

Against this backdrop, in 2024, a group of investors known as "Humpy" initiated a series of aggressive proposals targeting Compound Finance's governance, marking the beginning of the 'Compound Finance War'. This incident starkly revealed how vulnerable DeFi project governance structures can be and how large token holders can manipulate the system for their own benefit.

This article will examine in detail this event, which became a crucial turning point in the DeFi ecosystem, from the emergence of Compound Finance to Humpy's governance attack attempts and the community's response and outcomes. Furthermore, we will explore the challenges faced by DeFi projects and the direction they should take moving forward.

2. The Emergence of Compound Finance and the COMP Token

In 2018, Compound Finance entered the DeFi ecosystem. Compound Finance was a platform allowing users to deposit and borrow cryptocurrencies, presenting a new service model that overcame the limitations of the existing financial system.

Key features of Compound Finance included an algorithm-based interest rate adjustment mechanism, support for various cryptocurrency assets, and immediate borrowing and repayment functions. These features caught the attention of DeFi ecosystem participants, and Compound Finance quickly rose to become a major protocol in the DeFi sector.

Compound Finance attracted attention from the early stages by securing investments from famous venture capitals. In May 2018, Compound Finance raised $8 million in seed investment from Bain Capital Ventures, Andreessen Horowitz, Polychain Capital, Coinbase Ventures, and others. Subsequently, in November 2019, they successfully completed a Series A investment of $25 million with participation from Andreessen Horowitz, Paradigm, Bain Capital Ventures, Polychain Capital, and others. These large-scale investments created a buzz in the cryptocurrency community and further amplified interest in Compound Finance.

In June 2020, Compound Finance grew further by launching COMP, its governance token. The launch of the COMP token attracted the attention of many users, who began depositing assets on the Compound Finance platform to acquire COMP tokens. As the so-called "yield farming" trend took off, Compound Finance's Total Value Locked (TVL) increased rapidly. The TVL, which was about $100 million right after the COMP token launch in June 2020, surpassed $1 billion in just a month, showing remarkable growth.

Along with this, the value of the COMP token also increased significantly. The COMP token price, which was around $30 right after launch, exceeded $250 in August 2020, proving the success of the Compound Finance project. This rapid growth played a decisive role in establishing Compound Finance as a core protocol in the DeFi ecosystem.

2.1. COMP Token Price Decline and Compound Finance's Growth Stagnation

The decline in COMP token value clearly revealed the limitations of the early DeFi token economy. Compound Finance provided excessive COMP token incentives without creating substantial demand for the token, which eventually led to a decline in token price. Initially, many users were attracted by high incentives, but a significant number of them showed short-term speculative tendencies, selling immediately when the price rose after acquiring tokens. This behavior acted as a factor accelerating the decline in COMP token price.

The decline in COMP token price led to a decrease in the real value of incentives, which resulted in weakening Compound Finance's competitiveness. As competition in the DeFi market intensified, users began to move to new protocols offering higher incentives, reducing Compound Finance's liquidity and user base. Subsequently, as the growth of the DeFi sector, which had shown explosive growth initially, slowed down, Compound Finance also showed signs of stagnation in this trend.

3. The veBAL War and Humpy

In 2022, the "veBAL (vote-escrowed BAL) war" that occurred in the Balancer protocol vividly demonstrated the complexity and vulnerabilities of DeFi governance. veBAL is Balancer's governance token, which users can obtain by locking up 80BAL/20WETH Balancer Pool Tokens (BPT). veBAL holders have the authority to allocate BAL token emissions to liquidity providers or themselves, and they can gain governance rights and a portion of protocol revenues.

A large veBAL holder called "Humpy" employed a strategy to maximize his benefits by utilizing this system. He controlled about 35% of veBAL and used this to concentrate BAL token rewards on pools with low trading volume. In particular, in the CREAM/WETH pool, Humpy acquired about $1.8 million worth of BAL tokens over 6 weeks, but the revenue this pool provided to Balancer was only $17,846.47.

The Balancer community took several defensive measures to prevent such actions. For example, they introduced emission caps for pools with low revenue and small market capitalization. However, Humpy continued to seek new strategies and eventually utilized a liquidity locking mechanism called tetuBAL.

3.1. Attack Strategy Using Tetu

Tetu is a veBAL liquid locker operating on the Polygon chain, taking a very aggressive approach by permanently locking assets deposited by users in Balancer's veBAL contract. Tetu issues tokens called tetuBAL to users and creates an 80BAL/20ETH/TetuBAL pool on Balancer, providing the only way for tetuBAL users to liquidate their positions.

Humpy discovered a loophole related to the tetuBAL pool in Balancer's Gauge framework. The Gauge framework sets reward caps based on the total value locked (TVL) of each pool, usually limiting additional rewards if a pool's TVL exceeds a certain percentage of the total Balancer protocol TVL. Since tetuBAL is a freely issuable token, Balancer calculated tetuBAL's market cap as equal to Tetu's own market cap, which resulted in the tetuBAL pool being excluded from the gauge emission cap application.

On October 19, 2022, Humpy put his Tetu strategy into action. He began large-scale deposits into the veBAL/tetuBAL stableswap pool, increasing the pool's TVL from about $80,000 to $8.8 million overnight. Soon after, BAL inflation rewards poured into the 80BAL/20WETH/TetuBAL pool. Although a gauge emission cap mechanism was introduced to prevent a single pool from monopolizing excessive rewards, the tetuBAL pool's actual TVL became very high without the gauge emission cap being applied because tetuBAL's market cap was calculated as equal to Tetu's market cap. As a result, Humpy was able to receive high BAL rewards using Tetu.

However, there was an important point that Humpy failed to realize. The Tetu community had created a special device called a "looper contract" for this pool.

The looper contract developed by the Tetu community is a kind of automated compound strategy. This contract automatically executes the following cycle:

1. First, it increases the lock amount of the 80BAL/20WETH/TetuBAL position. This has the effect of increasing the pool's liquidity while securing veBAL voting rights.
2. Next, it converts this position to tetuBAL. In this process, 80BAL/20WETH is converted to tetuBAL, which acts as a proxy token for veBAL within the Tetu protocol.
3. Finally, it re-deposits the converted tetuBAL back into the pool. At this stage, liquidity returns to the pool, but now its composition has changed.

As this cycle repeated, the pool's composition changed dramatically. As a result, the proportion of 80BAL/20WETH BPT in the total liquidity dropped to 8%, while tetuBAL accounted for over 90%. This is a significant deviation from the normal pool composition, indicating a serious imbalance. This situation posed a significant risk to tetuBAL holders and Humpy, potentially preventing them from withdrawing assets due to lack of liquidity by threatening the peg stability between tetuBAL and veBAL.

An even more serious problem is Tetu protocol's automatic re-locking mechanism. Tetu is designed to automatically re-lock veBAL, making the 80BAL/20ETH/tetuBAL pool the only exit for tetuBAL holders to liquidate their positions. The fact that Humpy accounts for about 80% of this pool's total liquidity means that his investment of over $8 million is essentially trapped in the form of illiquid tetuBAL. This is also an example of liquidity risk for large positions.

In this situation, Humpy faced two choices:

1. Use tetuBAL as an illiquid veBAL position and wait for new liquidity
2. Continue to acquire gauge rewards from the Pool using illiquid LP investments

During this process, Humpy opposed several proposals in Balancer governance or supported proposals favorable to him.

In response, Balancer stakeholders and Aura (a major veBAL holder) allied to try to limit Humpy's influence.

Eventually, this conflict was resolved on December 1, 2022, with a "peace treaty" proposal. According to this treaty, Humpy agreed to maintain 17.5% voting rights for the tetuBAL pool but vote in alignment with Balancer's interests for other pools.

This incident was an important case showing how vulnerable the governance structure of DeFi protocols can be, and how large token holders can manipulate the system for their own benefit. It also provided important lessons on how DeFi protocols should maintain a balance between long-term growth and short-term profits.

4. The Compound Finance War and Golden Boys (Humpy)

In 2024, after the veBAL war in the Balancer protocol in December 2022, Humpy targeted Compound Finance, one of the core protocols in the DeFi ecosystem. He mainly tried to exploit vulnerabilities in the protocol through Compound Finance's governance, and the cases are as follows:

4.1. Proposal 247: Treasury to Invest 5% of COMP holdings into goldCOMP Vault

In May 2024, Golden Boys (a private investment group including Humpy) submitted "Proposal 247: Treasury to Invest 5% of COMP holdings into goldCOMP Vault". The key points of this proposal were:

• Invest 5% of COMP tokens held by the Compound treasury into the goldCOMP Vault developed by Golden Boys
• Aim to increase COMP token value and boost protocol revenue through this

This proposal was a subtle attempt to exploit vulnerabilities in DeFi governance. It can be seen as an attempt to partially seize control of the protocol's funds by trying to transfer large-scale funds to a Vault controlled by an external entity.

However, this proposal faced strong opposition from the community.

• Suddenness of the proposal: An important proposal for protocol operation appeared suddenly without prior discussion
• Lack of transparency: Lack of information about the identity of the Golden Boys group and the detailed mechanisms of the goldCOMP Vault
• Governance risk: The possibility that a large amount of COMP tokens could be controlled by an external entity

As a result, this proposal was cancelled as it failed to reach a quorum.

4.2. Proposal 279: Trust Setup for DAO investment into GoldCOMP

After the failure of the first attempt, on July 20, Golden Boys submitted "Proposal 279: Trust Setup for DAO investment into GoldCOMP", adding content about introducing a new framework called TrustSetup.

The introduction of the TrustSetup framework appears to be an attempt to increase safety and transparency compared to the first proposal, which moved to an external Vault and utilized Golden Boys' multisig.

• Presented a more concrete investment structure
• Added risk management measures
• Detailed the profit distribution mechanism

While it seemed more transparent and secure on the surface, the essential purpose of transferring the protocol's funds externally remained unchanged, and as a result, it faced strong criticism from industry key figures and the community.

• A structure where withdrawals are only possible by GoldenBoyzMultisig
• The point that the DAO cannot recover funds on its own
• The point of delegating COMP's governance authority to GoldenBoyz

As a result, this proposal was also rejected due to many opposing votes

1) Wintermute Governance: "This proposal ignores healthy governance procedures. It's dangerous to go straight to on-chain voting without sufficient community discussion," criticizing the unhealthy proposal method that doesn't utilize the forum for discussion.

2) Michael Lewellen (OpenZeppelin): "This could potentially be a governance attack. Recent patterns of large-scale COMP token delegations have been observed, which is suspicious behavior," raising concerns about the possibility of a governance attack.

1. Abnormal COMP token delegation patterns: Lewellen reported that multiple new COMP delegations occurred from the ByBit exchange hot wallet between April 29 and May 2, 2024.
   • Five addresses showed the same withdrawal pattern and delegated COMP.
   • The total delegation amount of these five addresses reaches 230,333 COMP.
   • This is more than half of the 400,000 COMP quorum required for proposal passage.
2. Potential for governance attack:
   • The timing of the proposer of Proposal 247 (0x36cc) receiving 95,000 COMP delegations coincides with this abnormal delegation pattern.
   • If all these accounts are related, they would control a total of 325,333 COMP, which is only 74,667 COMP short of the quorum.
3. Lack of transparency:
   • Proposal 247 was suddenly submitted without prior forum discussion.
   • The proposer did not identify themselves to the community in advance.
4. Suspicious proposal content:
   • The proposal attempted to transfer 5% of the COMP treasury to a multisig wallet controlled by "Golden Boys".
   • It claimed this fund would be invested in the goldCOMP DeFi vault to generate returns.

Lewellen strongly suggested that these patterns indicate the possibility of an organized governance attack and encouraged community participation.

4.3. Proposal 289: Trust Setup for DAO investment into GoldCOMP

On July 29, Golden Boys submitted their third and final proposal, "Proposal 289: Trust Setup for DAO investment into GoldCOMP", which significantly increased the COMP requirement from 92,000 to 499,000.

The substantial increase in COMP requirements signifies a very aggressive strategy change. This can be interpreted as an attempt by Golden Boys to secure greater influence as the amount of COMP delegated to Golden Boys through TrustSetup increases.

Nevertheless, this proposal was finally approved with 682,191 votes in favor and 633,636 votes against.

After the passage of Proposal 289, the community perceived this as a serious governance attack on the Compound DAO and quickly responded. Security experts including OpenZeppelin participated to explore technical alternatives, and the community began discussions on improving the governance structure. In fact, a new proposal was raised to deploy a new governance contract that transfers timelock administrator authority.

4.4. End of the Compound Finance War

On July 30, 2024, Bryan Colligan, a DeFi consultant at AlphaGrowth and Head of Growth at Compound Protocol, posted a proposal titled "[AlphaGrowth] Stake Compound Product" on the Compound forum, effectively ending the Compound Finance war.

Compound reached an agreement to propose a staking product for the benefit of COMP holder Humpy in exchange for cancelling Proposal 289, which posed a governance risk to the protocol as requested by Humpy.

[Proposed Agreement Content]

• Distribute 30% of the current market reserves and 30% of new market reserves generated annually to staked COMP token holders
• Staking rewards are distributed on the same cycle as COMP token rewards currently provided in Compound markets
• The staked COMP token product is implemented as a vault managed by the Compound DAO, with the ability to adjust risk parameters
• This product is developed through the Compound Growth Program and deployed on-chain after passing security audits, market risk assessments, and DAO governance votes

Humpy and OpenZeppelin and Wintermute Governance, who had expressed concerns, supported this agreement content and approved it, and Humpy's Proposal 289 was cancelled, concluding the matter.

5. Conclusion

5.1. DeFi Governance Attacks and Activist Funds

DeFi projects grew by providing excessive token incentives. However, as they failed to solve the token utility problem, they couldn't create demand, and the prices of most DeFi-related tokens have been steadily declining since 2021. The excessive incentives for competition in the early stages led to a steady decline in token prices, which in turn lowered the cost of governance attacks.

Humpy's actions in the Compound war and the past Balancer war show many similarities with the approach of traditional activist funds, demonstrating that traditional financial strategic behaviors can also be applied in DeFi governance. Activist funds are funds that pursue an investment strategy of buying large amounts of a company's stock to influence management rights, demanding changes in corporate policies or strategies to increase corporate value and maximize the fund's investment returns.

• Strategic Stake Acquisition: Both activist funds and Humpy focused on acquiring strategic stakes to exert influence. Just as activist funds intensively buy shares of target companies, Humpy secured large amounts of COMP tokens.
• Demanding Structural Changes: Just as activist funds demand changes in corporate governance, strategy, and capital allocation, Humpy proposed fundamental changes to the operating method of the Compound protocol.
• Short-term Profit Maximization: Humpy also adopted the "event-driven" approach typical of activist funds. Through the GoldCOMP proposal, he aimed for short-term value increase and strengthening of management rights, similar to the "catalyst event" creation pursued by activist funds.
• Multi-faceted Negotiation Strategy: Humpy's approach is similar to the 'salami tactics' of activist funds. He tried to achieve his goals gradually through several proposals, which is similar to the gradual pressure strategy used by activist funds.

As the risk of strategic governance attacks increases with the development of the DeFi market, many projects have been reconsidering their token economy strategies. Projects that used to provide excessive token incentives for growth now need a more cautious approach. In the future DeFi ecosystem, innovative token economy models that consider the project's long-term growth, competitiveness, and governance stability will be required.

5.2. Changing DeFi Token Economy Strategies

In fact, some DeFi projects are evolving from the initial excessive incentive model to more sustainable and value-centered token economy strategies. These changes are focusing not simply on token price increases, but on the long-term stability and real value creation of the protocol.

GMX's token buyback program or AAVE's safety module improvement proposal are good examples of this. These attempts can be seen as strategic moves to increase the stability and sustainability of the protocol, rather than simply aiming for token price increases.

However, changes in the regulatory environment can also have a significant impact on this trend. In particular, changes in SEC regulation intensity due to changes in U.S. policy can directly affect the token economy design of DeFi projects. For example, Uniswap planned to provide fees to UNI token holders participating in governance, but this decision is currently on hold after a lawsuit with the SEC.

These changes show that the DeFi ecosystem is maturing, while also suggesting that projects will need to establish balanced strategies considering legal, economic, and technical aspects in the future.

In conclusion, the Compound Finance war is an important case showing that the DeFi ecosystem is entering a mature stage. The token economy strategies of the DeFi ecosystem are becoming more sophisticated and complex. Beyond simple incentive provision, they face the challenge of simultaneously achieving various goals such as long-term growth of the project, adjustment of participants' interests, regulatory response, and real value creation. These changes show that the DeFi ecosystem is entering a mature stage, while also presenting the possibility that more innovative and sustainable models may emerge in the future.