Compound Governance Attack Reveals Inherent Vulnerabilities Of DAOs

Many experts agree that DAOs are vulnerable to misaligned incentives and the whim of large tokenholders.

The spotlight is on DAOs and the attack vectors associated with decentralization as the Compound community reels from a “governance attack” that took advantage of low voting participation and misaligned incentives.

After two botched attempts, on July 28, a group known as the Golden Boys successfully pushed through Proposal 289, which approved sending $24 million in COMP tokens from Compound’s treasury to a yield-bearing protocol called goldCOMP operated by the Golden Boys themselves.

The proposals were authored by a governance delegate associated with Humpy — a notorious whale and key Golden Boys figure previously accused of engineering governance attacks — after five wallets delegated them more than 228,000 COMP (nearly $12 million at current prices) obtained from the Bybit exchange. Combined with the delegate’s own tokens, the wallet controlled more than 81% of the 400,000 COMP required for a governance proposal to meet quorum.

With their second proposal getting shot down less than two weeks prior due to concerns over the Golden Boys’ multisig controlling vault withdrawals and receiving the governance rights from deposited assets, major stakeholders characterized 289 as an attack and unsuccessfully called for a unified front against the proposal from DAO members.

“It’s scary that this happened, especially considering the multi-billion dollar protocols that could come under attack at any time from the wide array of whales that might put their interests above those of the community,” said Dennison Bertram, CEO of Tally Protocol.

Governance capture

Most DAOs suffer from low levels of participation, opening the door for large tokenholders to abuse governance to advance self-serving proposals.

According to a recent study by two academics from the University Complutense of Madrid, 50% of DAOs have less than ten voters. Further, members of DAOs with between 1,000 and 10,000 members participate in the governance process for less than 30% of proposals put forward — while more than 50% of the voting power is controlled by less than 1% of members.

As such, the attack on Compound’s DAO may have been an inevitable consequence of low voting participation coupled with the architecture of decentralized autonomous organizations. Combined, these forces create opportunities for entities with deep pockets and misaligned incentives to capture an inherently fraught governance process.

“It’s a delicate topic because, at the end of the day, dApps behave like companies, and not communities,” said Francisco Díaz, a DAO researcher at TalentDAO. “Even though there are memes and people are ‘vibing’, at the end of the day, many DeFi projects and some DAOs are making decisions so the protocol is profitable.”

For Díaz, that means you can’t expect a “community” of people who bought tokens to give the best verdict on what commercial direction a protocol should take — particularly within the context of DAOs overseeing highly technical protocols.

Doo Wann, the co-founder and COO of Stable Labs, lamented that most DAOs maintain few mechanisms protecting them against governance attacks, and are thus left reliant on the “goodwill of delegates and investors.”

“In the long term, this does not work as they don’t have the incentive,” Wann added.

Humpy strikes

A governance attack refers to when an entity acquires enough voting power to ram through proposals that serve their personal interests rather than those of the DAO, gaming the permissionless and tradable nature of governance tokens.

Compound’s community said it was attacked on three separate occasions by the whale that goes by Humpy.

The proposals sought to allocate $24 million worth of COMP to a protocol they controlled, goldCOMP, which is operated by a group known as Golden Boys.

Golden Boys’ first try, Proposal 247, sought to transfer 92,000 COMP from Compound’s treasury to goldCOMP, but was canceled after prominent community members flagged it as suspicious. The group then tried a second time with Proposal 279, but was shot down with 88% of votes cast against it.

Finally, Proposal 289 passed on July 28 after the Golden Boys increased the governance power at their disposal. The final vote was 682,191 votes in favor to 633,636 against, resulting in an increased allocation of 499,000 COMP being earmarked for the goldCOMP vault.

The Compound team has since negotiated with Humpy to introduce a revamped staking mechanism distributing 30% of the protocol’s current and future reserves to COMP stakers in exchange for the Golden Boys canceling Proposal 289.

Compound threatened to use its centralized multisig to update the project’s governance either to remove voting power from the wallet that authored Proposal 289 or distribute a new token excluding wallets that voted in favor of 289 should Humpy choose not to comply — meaning a combination of centralized safeguards and old fashioned diplomacy were used to overcome the vulnerabilities created by decentralized governance.

The price of COMP is up 4.6% over the past seven days, according to CoinGecko.

Traditional systems are also susceptible to governance capture

However, misaligned incentives are commonplace both inside and outside of crypto.

A recent panel hosted by The Defiant and IC3 noted that both DAOs and mainstream companies are subject to controversial decision-making — with equity shares similarly making tradfi firms vulnerable to the whim of large shareholders.

“You do have capture in DeFi much like in traditional finance,” said Eswar Prasad, a Cornell University professor. Will Cong and Gordon Liao, fellow academics from Cornell University and Harvard University, agreed.

The three pointed out that the incentives are very difficult to align – both within and outside of crypto – a challenge that is further complicated by the outsized footprint of large tokenholders like Humpy.

Prasad described DAOs as a hopeful vehicle offering for overcoming governance challenges, but concluded that leaving decision-making in the hands of diverse tokenholder communities may produce directionless results.