Original author: @Web3 Mario (https://x.com/web3_mario)

With the end of last weekend's Bitcoin Conference, the details of the relevant meetings continued to be exposed, which were basically not much different from my previous judgment, such as Trump's strategy of using energy policy to please Bitcoin enthusiasts, and by exaggerating some changes in official attitudes, especially the so-called strategic reserve rhetoric, highlighting its value as a commodity. What I didn't expect was that his speech turned into a typical "Trump-style" campaign rally again. He likes to use some opinions and information that have not been logically argued to attack his opponents, which inevitably makes people wait and see the authenticity of some of his promises. However, basically this matter has been settled, so the author paid attention to some other events and saw a very interesting information that Compound encountered a governance attack. Because the author had been working in DeFi for a long time before, he was very interested in this information. He studied the whole story behind this matter in depth, and disassembled the implementation details behind it to share with you. In general, the governance attack encountered by Compound was a DeFi whale that tried to forcibly seize the governance rights of idle Comp tokens in the Compound Treasury through voting on governance, so that it could fully control the Compound protocol.

The legendary whale Humpy, who successfully seized the body of Balancer, strikes again

In fact, this is not the first masterpiece of this legendary whale. Before this, the whale launched a governance attack on Balancer in the DeFi Summer era of 2022. By controlling a large number of BAL governance tokens and relying on Balancer's veBAL mechanism, it controlled most of BAL's incentive release to the liquidity pool, thereby forming control over Balancer. So far, humpy has become the second largest holder of BAL tokens, second only to the official team.

Messari has a very interesting research report on this classic event. Interested friends can read it in detail. I don’t know how many friends are familiar with Balancer’s veBAL mechanism. Let me briefly review it here. It was DeFi Summer at that time. The innovation direction of various products was centered on how to achieve growth by designing a good tokenomics. Curve, as a core DEX of a stablecoin at the time, took the lead in launching the veCRV mechanism as its own tokenomics, and then achieved considerable results. Therefore, veToken became a popular design paradigm for tokenomics of DEX products at that time.

Balancer, one of the star projects of the same type, happened to encounter an innovation bottleneck at the time, so it also chose to follow up and launched its own veBAL mechanism. The essence of this mechanism is to adjust the allocation of a competitive resource within the product through voting governance, thereby creating a wide range of vote-buying scenarios, bringing benefits to those who participate in governance, and then stimulating the enthusiasm of the community to actively participate in product co-construction, and also finding a suitable value support for governance tokens. At that time, the market generally used "governance to extract value" to describe it.

In the DEX track, this competitive resource specifically refers to the liquidity incentive rewards of governance tokens allocated by the official to the liquidity pools running on it. The proportion of rewards allocated to different liquidity pools is determined by the voting governance method. If you want to obtain voting rights, you must lock your governance tokens for a long period of time, which reduces the circulation in the market and is conducive to the growth of market value. Whichever liquidity pool receives more votes will be allocated more BAL incentives, so that third-party projects can be guided to use their tokens to bribe users with veBAL voting rights in order to stimulate the liquidity growth of their own tokens. Of course, this process is generally implemented by relying on a dedicated DAPP. However, there is a hidden danger in the design of Balancer's veBAL that was discovered and exploited by Humpy.

We know that for DEX, its core business model is transaction fees. In order to attract more traders to use their products, DEX tries every means to increase its liquidity and attract users through low slippage trading experience. Therefore, the design of veBAL cannot be separated from this core goal, that is, to increase the fee. However, in its original design, it did not restrict the type of liquidity pool, but only depended on the total number of votes obtained by the pool. This brought a problem. As long as a pool can obtain enough veBAL votes through some means, it can obtain a larger proportion of BAL liquidity incentives, even if the pool has no trading volume. This creates space for whales, so Humpy came.

Humpy's core attack idea is divided into two parts. First, it needs to obtain absolute control over the liquidity of a certain pool, so that it can obtain most of the rewards in the process of liquidity mining. Second, it needs to obtain a huge number of votes for the pool it controls and control most of the BAL incentive allocation. In this way, it can achieve control over the protocol. Therefore, its first choice is to build positions in the tokens of projects with inactive trading but inflated market value to reduce potential competitors. Second, it establishes a liquidity pool with extremely high handling fees (1%) to reduce users' willingness to trade, so as to reduce the willingness of potential LPs attracted by handling fees to participate. Through such means, it has completed absolute control over a certain liquidity pool. Next, it purchases a large number of BAL tokens through the secondary market, pledges them to obtain veBAL, and votes for its own liquidity pool to obtain most of the BAL allocation. However, such incentive release does not make Balancer better, because no more handling fees are stimulated, but it only makes Humpy cheaper. This is the so-called divergence between the interests of the whales and the long-term development direction of the project, which can only bring contradictions.

In actual implementation, the official team of Balancer did not sit idly by, but countered Humpy's vampire attack through a new Proposal. For example, the scope of the pool that receives liquidity incentives is specified, and the operation of expanding the scope needs to be approved by the official application before it can be passed, and an upper limit is set for the proportion of rewards that can be allocated to a single pool. However, after a series of confrontations, Balancer and Humpy finally reached a settlement, but from the results, it did not prevent Humpy from gradually achieving control over Balancer through this means, and the fact that he is the second largest holder is the most direct result. This also laid the groundwork for its recent attack on Compound.

By forcibly seizing the governance rights of a large amount of idle COMP in the Compound Treasury,

The above incident happened in 2022. After two years of silence, Humpy started to seize another old DeFi. This is what happened recently. This time it has nothing to do with veBAL, but is aimed at the governance rights corresponding to the large amount of idle COMP in the Compound Treasury.

This time, it did not directly participate in the entire game, but operated by packaging a project called Golden Boys (of course, it can also be called an organization). The project is actually a meme with financial attributes. What does it mean? Its core product is an ERC-20 token called $GOLD. However, the official has given its holders some expectations in addition to cultural attributes. The introduction of the entire official website and blog emphasizes one point, that is, the value of $GOLD is maintained by Humpy, the giant whale, with many years of experience and a lot of capital and resource advantages. Holding $GOLD is equivalent to standing on the back of a giant whale. But in fact, he does not have some structured financial management, or product designs such as income aggregation. He only allocates some liquidity incentives for $GOLD and some mainstream tokens. Some of these incentives are directly issued $GOLD, and of course some are BAL rewards. This is naturally because of Humpy's influence on Balancer, which allocates relatively high liquidity mining to it through its huge amount of veBAL (after studying this, I really feel a little sad about how difficult it is to be possessed).

After preparing all this, it created a new Vault product called goldCOMP Vault. Simply put, users can pledge their COMP into this Vault to transfer their governance rights to Golden Boys and obtain a pledge certificate called goldCOMP, which is a tradable certificate. Users can provide this certificate as liquidity to the 99 goldCOMP-1 WETH liquidity pool in Balancer, where 99 and 1 are corresponding weights, which basically means that the transaction slippage of goldCOMP is extremely low and there is basically no impermanent loss.

After staking liquidity, you can get $GOLD liquidity incentives. Note that the reward here is not BAL, but GOLD. This is naturally because choosing GOLD as an incentive is more conducive to the Golden Boys controlling the interest rate of the pool, anyway, it is all controlled by themselves. The current interest rate level is 180%, of course, the TVL is not high. But what I don’t know is when Balancer will support third-party tokens to be directly displayed as staking incentives on the official website. Because I haven’t followed up on the progress of the project for a while. If it is not an official operation that can be publicly set, I can only sigh again at the helplessness of being possessed!

After preparing these, GoldenBoys began to attack Compound's governance. They first launched the first proposal in May this year. The content of the proposal was to apply to transfer 5% of the COMP controlled in the Compound Treasury, that is, 92,000 COMP, to the multi-signature wallet of Golden boys, and pledge it to the goldCOMP Vault through the multi-signature wallet, and earn liquidity mining income, locked for one year. Of course, in this process, Golden Boys went for the governance rights transferred behind these tokens. There is no doubt that the proposal was not passed, because this interoperable object is really a bit simple and has no actual business support, and the entire operation after the token is allocated is based on the multi-signature wallet, which makes it more likely that human evil will be committed. Therefore, it has also caused widespread denial in the community.

But Humpy was not discouraged, but chose to confront community members. He believed that these problems could be alleviated as long as the entire process was approved by the Compound timelock contract to approve the use of the token by any multi-signature wallet. Therefore, a second proposal was launched on July 20. The amount applied for this time remained unchanged, but an additional operation was added to achieve the above effect by setting up a Trust Setup contract, thereby realizing the supervision of multi-signature wallets. However, the author actually read the code of the contract and simply set three states. When Compound timelock modifies the state of the contract to allow investment, multi-signature wallets can use these tokens at will. Of course, this proposal was also rejected, but it can be seen that the number of votes in favor has increased significantly. This seems to give people an illusion that the Golden Boys are really constantly optimizing the proposal and have gained more and more consent. Until today, the passage of the third proposal has stunned everyone.

Everyone should note that there is a core difference in the proposal that was passed today. The amount of COMP funds applied for this proposal is no longer 92,000, but an exaggerated 499,000. However, this time, the community was very confident that it would easily defeat Humpy's "conspiracy", but the result was shocking. The proposal was passed with a slight advantage, and the support votes increased by 6 times in just ten days, which was obviously unexpected by the community. And this is obviously a carefully planned operation by Humpy. If nothing unexpected happens, with the passage of this proposal, Humpy will actually become the owner of Compound and dominate any proposal. Considering that its current chip amount is enough to surpass its opponent, plus the voting rights corresponding to the newly acquired 499,000 COMP, Compound will undoubtedly be seized.

The impact of this incident is unprecedented. Any DeFi product needs to re-monitor its governance model to prevent similar problems. I will continue to pay attention to the next developments. I believe that the Compound community will also rise up to fight. How the conflict will eventually develop is hard to say with the previous experience of Balancer.

To add a little progress, as of the time of writing, it is learned that the Compound community has reached a preliminary settlement with Humpy and gave up the COMP tokens. Compound will share 30% of the protocol's annual new total revenue with COMP token holders. Prior to this, these revenues will be controlled by the team as market reserves. At this point, COMP tokens have officially become an asset that can generate income, the so-called yield bearing asset. Humpy has once again won the governance war!