Deep Dive into the Details and Motives Behind the Compound Governance Attack: Whales Reclaim an Old-School DeFi
TechFlow Selected TechFlow Selected
Deep Dive into the Details and Motives Behind the Compound Governance Attack: Whales Reclaim an Old-School DeFi
Legendary whale Humpy, who successfully took over Balancer, strikes again.
Navigating Web3 tides with focused insightsAuthor: @Web3Mario
Summary: Following the conclusion of last weekend’s Bitcoin conference, further details have continued to emerge, largely aligning with my previous expectations—such as Trump's strategy of leveraging energy policy to appeal to Bitcoin enthusiasts and emphasizing shifts in official sentiment, particularly around the idea of a strategic reserve, to highlight Bitcoin’s value as a commodity. What I didn’t anticipate was that his speech would once again turn into a classic "Trump-style" campaign rally, filled with unsubstantiated claims and attacks on opponents, raising justified skepticism about the sincerity of his promises. Nevertheless, with this matter now largely settled, I shifted focus to other developments and came across an intriguing piece of news: Compound has suffered a governance attack. Given my extensive background in DeFi, I found this particularly compelling and decided to investigate the full story behind the incident, dissect its technical execution, and share insights with you. In short, the governance attack on Compound involved a DeFi whale attempting to seize control of idle COMP tokens in the Compound Treasury through manipulated governance voting, thereby gaining complete control over the Compound protocol.
The Legendary Whale Humpy, Who Successfully Took Over Balancer, Strikes Again
This is not the first masterpiece by this legendary whale. Back during the 2022 DeFi Summer, the same actor executed a governance attack on Balancer by accumulating a large amount of BAL governance tokens and leveraging Balancer’s veBAL mechanism to gain control over the allocation of liquidity mining incentives to various pools, effectively taking control of the platform. To date, Humpy has become the second-largest holder of BAL tokens, surpassed only by the official team.
On this classic case, Messari published an excellent research report—those interested can read it in detail. How many of you are familiar with Balancer’s veBAL mechanism? Let me briefly recap: at the time of DeFi Summer, innovation across protocols centered on designing effective tokenomics for growth. Curve, as a core DEX for stablecoins, pioneered the veCRV model, which proved highly successful. As a result, the veToken model became a popular design pattern among DEXs.
Balancer, one of the leading projects in this space, was facing innovation bottlenecks and followed suit by launching its own veBAL mechanism. The essence of such mechanisms lies in allocating a competitive internal resource—like liquidity mining rewards—through governance voting. This creates widespread vote-buying opportunities, incentivizes participation in governance, encourages community involvement in protocol development, and provides tangible value to governance tokens—a concept then widely referred to as “value extraction via governance.”
In the DEX space, this competitive resource specifically refers to the governance token (BAL) rewards allocated to liquidity pools. The distribution ratio is determined by governance votes. To obtain voting power, users must lock their governance tokens for extended periods, reducing circulating supply and supporting market cap growth. Pools receiving more votes get more BAL incentives, prompting external projects to bribe veBAL holders to boost liquidity for their own tokens—typically facilitated through specialized dApps. However, Humpy identified and exploited a critical flaw in Balancer’s veBAL design.
For a DEX, the core business model revolves around trading fees. To attract traders, DEXs strive to increase liquidity, offering low slippage and better user experience. Thus, veBAL’s design should ultimately serve the goal of maximizing fee revenue. But in its initial form, veBAL imposed no restrictions on pool types, basing reward allocations solely on total votes received. This meant any pool could receive substantial BAL incentives simply by securing enough veBAL votes—even if it had zero trading volume. This opened the door for whales, and thus Humpy entered the scene.
Humpy’s attack strategy had two parts: First, gain absolute control over a liquidity pool to capture most of its mining rewards; second, secure massive voting power to dominate BAL incentive distribution. To achieve this, he first targeted tokens from inactive but high-market-cap projects, minimizing competition. Then, he created a liquidity pool with an extremely high swap fee (1%), discouraging regular traders and deterring liquidity providers seeking fee income. This allowed him to establish uncontested control over the pool. Next, he purchased large amounts of BAL tokens on the open market, locked them to obtain veBAL, and voted for his own pool, capturing the lion’s share of BAL emissions. However, this did not improve Balancer—no additional trading fees were generated. Instead, it enriched Humpy, highlighting a fundamental misalignment between whale incentives and long-term protocol health, inevitably leading to conflict.
In practice, Balancer’s core team didn’t remain passive. They introduced counter-proposals to resist Humpy’s vampire attack—for example, restricting eligible pools for incentive allocation, requiring official approval to expand this list, and imposing caps on per-pool reward percentages. After a series of governance battles, Balancer eventually reached a truce with Humpy. Yet, in outcome, they failed to prevent Humpy from gradually seizing control of the protocol. His status as the second-largest BAL holder stands as direct evidence. This set the stage for his recent assault on Compound.
Attempting to Take Over Compound by Seizing Governance Rights of Idle COMP in the Treasury
The above events occurred in 2022. After two years of silence, Humpy has launched his takeover attempt on another established DeFi giant—Compound—marking the latest development. This time, however, it has nothing to do with veBAL. Instead, he has set his sights on the governance rights associated with the large quantity of idle COMP tokens held in the Compound Treasury.
Rather than acting directly, Humpy orchestrated the operation through a project called Golden Boys (which could also be described as an organization). This project is essentially a meme with financial characteristics. Its core product is an ERC-20 token called $GOLD. Official communications emphasize that the value of $GOLD is backed by Humpy—the whale himself—whose extensive experience, capital, and资源优势 ensure its stability. Holding $GOLD is framed as “riding on the back of the whale.” However, there are no structured financial products or yield aggregators behind it. Instead, $GOLD offers liquidity mining incentives paired with major tokens—some rewards are newly minted $GOLD, while others come from BAL emissions, thanks to Humpy’s influence over Balancer via his massive veBAL holdings (researching this makes one truly appreciate how hard it is to avoid being taken over).
After setting this up, they launched a new product called the goldCOMP Vault. In simple terms, users deposit their COMP tokens into this vault, relinquishing governance rights to Golden Boys in exchange for a receipt token called goldCOMP. This receipt is transferable, and users can provide it as liquidity to the 99goldCOMP-1WETH pool on Balancer. The 99:1 weight ratio means the pool is heavily weighted toward goldCOMP, resulting in extremely low slippage and negligible impermanent loss.
By providing liquidity, users earn $GOLD as rewards—not BAL. Naturally, using $GOLD as incentive gives Golden Boys greater control over the pool’s yield, since they fully control the token. Current APY stands at 180%, though TVL remains low. What puzzles me, however, is whether Balancer now officially supports third-party tokens as staking rewards displayed directly on its interface. I haven’t closely followed project updates recently. If this isn’t an officially supported feature, then once again, we’re left lamenting the helplessness of being compromised!
With preparations complete, Golden Boys initiated their governance attack on Compound. Their first proposal, submitted in May, requested transferring 5% of the COMP tokens controlled by the Compound Treasury—approximately 92,000 COMP—to a multi-sig wallet owned by Golden Boys. These tokens would then be deposited into the goldCOMP Vault to earn liquidity mining rewards, locked for one year. Clearly, the real objective was to acquire the governance rights attached to these tokens. Unsurprisingly, the proposal failed. The interacting entity appeared too rudimentary, lacking real business use cases, and all post-transfer operations relied entirely on a multi-sig wallet, raising strong suspicions of malicious intent. The community widely rejected it.
Undeterred, Humpy engaged directly with the community, arguing that routing all actions through Compound’s timelock contract would mitigate risks. On July 20, he submitted a second proposal with the same funding request but added a new element: a Trust Setup contract to supervise the multi-sig wallet. Upon reviewing the code, however, I found it merely defined three basic states. When the Compound timelock sets the contract to “approved,” the multi-sig gains full access to the tokens. This proposal was also rejected—but support noticeably increased. It created the illusion that Golden Boys were iteratively improving their proposal and gaining broader acceptance. Then came the third proposal—and today, it passed, shocking everyone.
Crucially, today’s approved proposal differs significantly in scale. It no longer requests 92,000 COMP but a staggering 499,000 COMP. The community, confident they would easily defeat Humpy’s “scheme,” was stunned when the proposal narrowly passed. Support surged sixfold within ten days—an outcome completely unforeseen. Clearly, this was part of Humpy’s well-calculated plan. Unless something unexpected happens, with this proposal approved, Humpy will effectively become Compound’s de facto owner, able to主导 any future proposal. Given his existing holdings and now nearly half a million additional COMP voting rights, Compound will undoubtedly be taken over.
The implications of this event are unprecedented. Every DeFi protocol must now reevaluate its governance model to guard against similar attacks. I will continue monitoring developments. I believe the Compound community will fight back. But given Balancer’s precedent, the ultimate outcome remains uncertain.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@web3_mario
