Compound Finance's governance system faced an attack on July 28, 2024, when Proposal 289 passed with a 52 percent majority, allocating 499,000 COMP tokens worth $24 million from the DAO treasury to a yield strategy controlled by a group of traders calling themselves the Golden Boys. The proposal's passage exposed fundamental vulnerabilities in token-weighted governance where concentrated capital could override community interests.
Compound Governance Attack: Proposal 289 Controversy
Compound governance faces attack through Proposal 289 on July 29, 2024, highlighting vulnerabilities in vault-based lending protocol governance mechanisms.
Key Points
- Compound governance faces attack through Proposal 289 on July 29, 2024, highlighting vulnerabilities in vault-based lending protocol governance mechanisms.
Advertisement
728×90
Proposal 289 would have created a "goldCOMP" wrapper enabling a small group to manage treasury distributions and generate yield for themselves while claiming to provide passive income to COMP holders. Five wallets, apparently acquiring COMP from the Bybit exchange, delegated more than 228,000 tokens to governance delegates associated with a participant known as Humpy. Combined with existing delegate holdings, this created voting control exceeding 81 percent of the 400,000 COMP required to reach quorum. The strategy required only 52 percent of voting participants—achievable through concentrated capital—rather than majority support from the broader COMP holder base.
Compound security advisor Michael Lewellen documented that multiple accounts had been observed purchasing COMP tokens specifically to influence the vote, suggesting coordinated exploitation of governance mechanisms. The attack demonstrated that token-weighted voting could be weaponized by wealthy actors willing to spend millions purchasing voting power to extract value from community treasuries.
The Golden Boys agreed to rescind Proposal 289 after AlphaGrowth, a competing proposal creator, offered a staking product distributing 30 percent of Compound's existing and future market reserves to COMP stakers proportionally. This settlement converted a governance attack into a negotiated outcome: the attackers received commitment to ongoing treasury distributions rather than a single massive allocation, while the community avoided having control of significant reserves handed to a small group.
The incident highlighted that governance tokens created asymmetric incentives where wealthy participants could accumulate voting power specifically to extract value. Compound lacked mechanisms preventing rapid token accumulation through exchange purchases or requiring voting delays that would allow community mobilization. The vulnerability applied broadly to protocols using simple token-weighted voting without additional safeguards.
MiningPool content is intended for information and educational purposes only and does not constitute financial, investment, or legal advice.
Advertisement
728×90
Related Stories
Markets
Solana's Alpenglow Consensus Upgrade Went Live on a Community Test Cluster Last Week — Anza Is Targeting 150-Millisecond Finality, an 87x Improvement on TowerBFT
The biggest consensus overhaul in Solana's history is now running on validator infrastructure outside mainnet, with Anatoly Yakovenko targeting Q3 for mainnet activation. The change replaces Proof-of-History and TowerBFT outright.
·Jessica Miles
Markets
Trade.xyz Put SpaceX Pre-IPO Perpetuals on Hyperliquid on Monday — the Synthetic Closed the First Session at a $2.4 Trillion Implied Valuation
SPCX-USDC launched on Hyperliquid at 5:16 AM UTC with a $150 reference price and a $1.78 trillion implied valuation. By the close it was trading at $202.89, implying a valuation well above any private-market mark SpaceX has cleared.
·William Dale
Markets
THORChain Lost $10.7 Million to a GG20 TSS Exploit on May 15 — Three Days Later Verus's Bridge Was Drained for $11.58 Million the Same Way Wormhole Was
THORChain confirmed on May 15 that one of its six Asgard vaults was compromised for roughly $10.7 million via a GG20 threshold-signature key-leak; on May 18, Blockaid flagged an $11.58 million drain on the Verus-Ethereum bridge caused by the same class of source-destination value-binding gap that broke Wormhole and Nomad in 2022.
·Tom Chen
Markets
Aave Restored WETH Loan-to-Value Limits on Six Networks Yesterday — Phase II of the Kelp DAO Recovery Is Now Functionally Complete
WETH borrowing parameters on Aave V3 returned to pre-incident values across Ethereum Core, Ethereum Prime, Arbitrum, Base, Mantle and Linea on Monday, after more than 95 per cent of the unbacked rsETH from April's exploit was clawed back through liquidations.
·James Gray
Markets
Echo Protocol Lost an Admin Key on Monad — an Attacker Minted 1,000 eBTC, Worth $76.7 Million, and Walked Away With $821,700
A compromised admin key let an attacker mint 1,000 unbacked eBTC on Monad before Echo Protocol regained control and burnt the remaining 955 tokens. The nominal exposure was $76.7 million; the realised loss, laundered through Tornado Cash, came to about $821,700.
·William Dale
Markets
NUVA Plugged $19 Billion of Figure's Tokenised Loans Into Ethereum DeFi — and a Former BNY Executive Is Betting Wall Street Won't See It Coming
NUVA, co-developed by Animoca Brands and Nuva Labs, has linked $19 billion of Figure Technologies' tokenised assets — including a $18.4 billion HELOC portfolio — to Ethereum DeFi through two new products: nvYLDS and nvPRIME.
·Jessica Miles
Stay informed
Verifiable crypto journalism, delivered to your inbox.
Weekday mornings. No hype. No financial advice. Just what happened and why it matters.
No spam. Unsubscribe anytime. Read our privacy policy.