Authors: alextnetto.eth, guiriba.eth, 0xneves.eth, zeugh.eth, danimim.eth
Timeline
May 6 - Unexpected proposal
Humpy and the Golden Boys presented a proposal to invest 5% of Compound's tokens in a strategy called goldCOMP, submitting it directly on-chain and then posting it in the forum.
It works like a wrapped COMP: the tokens are deposited in a contract and return goldCOMP.
The proposal aimed to get 92K COMP from Compound to provide the initial liquidity for goldCOMP. The COMP provided by the DAO would be placed in the Golden Boys' vault and deposited in a 99/1 goldCOMP/WETH pool at Balancer. This capital would then generate 10% p.a. for all goldCOMP holders, including Compound.
The idea was not well received, because the capital would be managed by a multisig of the Golden Boys. At the time, those responsible for arguing against the proposal were Open Zeppelin's cylon and Wintermute Governance.
According to the study from cylon, they had already found 325K delegate tokens with a similar pattern: withdrawal from Bybit and delegation to a new address. Only 75K tokens short of a quorum.
These 325K tokens represent 47% of the tokens voted on in proposal 289, which culminated in the release of capital to Humpy.
Jul 9 - Another try
Humpy commented that the accusations that he was stealing or attacking governance were unfounded. For him, it's just a proposal requiring investment
Jul 15 - coordination bait
We think the goal here was getting the sense of how much votes the DAO could coordinate to defend from this proposal.
Humpy submitted an onchain proposal for the second time, it ended up not passing.
Jul 24 - Production-ready
Humpy and the Golden Boys upped the ante by asking for 499K COMP, ~5.5x more than what was expected on the forum. In addition, they added the grantPhase function, allowing the contract set up by Humpy to invest the money as soon as it was received.
The proposal passed, having 50k more votes "against" than the bait proposal, but it wasn't enough to block it.
Humpy background and history
Humpy is a well-known figure in DeFi. He has already exploited the governance vulnerabilities of other DAOs, most notably Balancer.
At Balancer, Humpy acquired millions of dollars of veBAL, aiming to capture the organization. At first, his focus was only on BAL emissions for the project's pools. By acquiring power in the governance of the protocol, he was able to direct token issues to pools that provided liquidity.
The strategy was simple:
-
Create a pool in Balancer;
-
Uploaded a proposal for voting on issuance to the pool;
-
Vote with your tokens and feed bribes to other wallets;
-
Extracted the possible issuance and replayed the playbook.
When the siege tightened, Humpy even wanted to ban Aura (Balancer's sub-DAO) from participating in the votes, in order to maintain his dominance over Balancer.
Andrea, one of the members of the Golden Boys, was part of this capture of Balancer. At the time, he helped Humpy in discussions on the forums, approving proposals that were beneficial to both of their bags.
As Humpy had captured the governance of Balancer and Aura, the solution was to make a peace agreement with him. The agreement made in 2022, agreed that Humpy would only direct emissions to pools where the cost of the bribe per veBAL is greater than the dollar value of the veBAL emissions. In short, “aligning himself for the long term with Balancer”.
He also divested several of his positions in veBAL, reducing his dominance over the project. Still, it is one of the largest and most influential portfolios at Balancer and Aura.
Diving deeper in the proposal
The important insights here are
-
The Golden Boys multisig can change the delegatee of the tokens deposited in goldCOMP.
-
COMP tokens will only be returned from the Trust setup to the DAO if the multisig allows.
Possible solutions
Some argue is an attack, others not. The fact is that the Golden Boys now have 6% and will have 11% after executing the proposal (1.1M COMP) of token supply in delegation, and the last time where quorum hit 1M was proposal 139 (Dec 2022 to approve Open Zeppelin security partnership), so the DAO is captured.
We cannot count on the other top token holders, they are exchanges, VCs and other entities that are not engaging in delegation. The reasons are diverse: compliance, security in tokens custody or just voter apathy.
The last chance is bulding around the proposal that Arr00 submitted 1 hour after the Golden Boys proposal passed, the snapshot for this voting will be taken before the 500k COMP can be delegated.
Note how close the first proposal's execution is to the voting start of the second proposal. If the voting start were after the execution of Humpy's proposal, the snapshot would include the 5% of COMP received by him.
The governor starts voting and takes a snapshot 13140 blocks after the proposal is submitted. A timelock delays execution by 172800 seconds (~14400 blocks) after the proposal is queued.
If the community considers it an attack and wants to get rid of the control and capture, the only way is to accept this proposal, transfer the timelock admin to the Compound's community, and then decide the future.
Scenario 1: New governor blocking goldCOMP delegatee
Deploying a new governor that will not consider the vote of the address that the goldCOMP contract is delegating to neutralize the social power involved in the proposal. It will maintain the tokens that Humpy bought, and it's an easier solution, also giving time for delegates to engage and take some security measures.
Scenario 2: Fork token
Creating a new COMP token, which is airdropped to all previous wallets, excluding the ones that voted "for" in the Golden Boys proposal and the tokens obtained with the proposal.
That's may be hard proposal to pass because it will make the COMP token useless by decoupling it from governing the treasury and protocol. But it can be interesting if there are any incentives to vote ”for”, as we saw in other token migrations.
Scenario 3: Accept the capture
As Humpy and the Golden Boys are heavily invested in COMP, is also in their interest to not lose money and make the protocol survive. There is no turning back if this happens and the proposal for transferring the timelock admin doesn't pass.
Preventing it
Security provider that takes action
Open Zeppelin (getting $4m/year), which is in charge of security, and Gaunlet, which makes most of the proposal and does risk analysis, didn't take any action or proposal toward increasing DAO security.
OZ got early insights about related wallets on the first on-chain proposal and made the possible risk clear in the forum. But security is not just monitoring and warning. Is taking action and proactively stewarding the governance towards a more secure place.
Security Council for vetoing
Back in March, blockful conducted a governance audit that exposed a concerning situation for ENS DAO, ending up in the immediate delegation of 4M ENS to a contract that can only vote "Against" and now the creation of the Security Council, live since 2 days ago.
Recently, an address was noticed accumulating 1.5m ENS, buying it almost every day for the last 382 days, but it no longer represents a risk for the capture of the organization.
In an adversarial and permissionless environment, security must be preventive and crucial. It takes motivation, passion, and attention to detail.
Similar movements are not new in history.
The 1988 RJR Nabisco Takeover: A Case of Legal Manipulation and Strategic Voting: in 1988, the leveraged buyout of RJR Nabisco by Kohlberg Kravis Roberts & Co. (KKR) showcased how legal manipulation and strategic voting allowed KKR to gain control, despite fragmented and apathetic large shareholders. This event highlighted vulnerabilities in corporate governance and led to significant financial market reforms.
Open question
- Most of COMP came from exchanges, so they know who is behind it, or... they are behind it. Are Humpy and the Golden Boys somehow backed by exchange? If not, why would these individuals expose their identity to exchanges like that?