Compound Finance's governance system faced an attack on July 28, 2024, when Proposal 289 passed with a 52 percent majority, allocating 499,000 COMP tokens worth $24 million from the DAO treasury to a yield strategy controlled by a group of traders calling themselves the Golden Boys. The proposal's passage exposed fundamental vulnerabilities in token-weighted governance where concentrated capital could override community interests.
Compound Governance Attack: Proposal 289 Controversy
Compound governance faces attack through Proposal 289 on July 29, 2024, highlighting vulnerabilities in vault-based lending protocol governance mechanisms.
Key Points
- Compound governance faces attack through Proposal 289 on July 29, 2024, highlighting vulnerabilities in vault-based lending protocol governance mechanisms.
Advertisement
728×90
Proposal 289 would have created a "goldCOMP" wrapper enabling a small group to manage treasury distributions and generate yield for themselves while claiming to provide passive income to COMP holders. Five wallets, apparently acquiring COMP from the Bybit exchange, delegated more than 228,000 tokens to governance delegates associated with a participant known as Humpy. Combined with existing delegate holdings, this created voting control exceeding 81 percent of the 400,000 COMP required to reach quorum. The strategy required only 52 percent of voting participants—achievable through concentrated capital—rather than majority support from the broader COMP holder base.
Compound security advisor Michael Lewellen documented that multiple accounts had been observed purchasing COMP tokens specifically to influence the vote, suggesting coordinated exploitation of governance mechanisms. The attack demonstrated that token-weighted voting could be weaponized by wealthy actors willing to spend millions purchasing voting power to extract value from community treasuries.
The Golden Boys agreed to rescind Proposal 289 after AlphaGrowth, a competing proposal creator, offered a staking product distributing 30 percent of Compound's existing and future market reserves to COMP stakers proportionally. This settlement converted a governance attack into a negotiated outcome: the attackers received commitment to ongoing treasury distributions rather than a single massive allocation, while the community avoided having control of significant reserves handed to a small group.
The incident highlighted that governance tokens created asymmetric incentives where wealthy participants could accumulate voting power specifically to extract value. Compound lacked mechanisms preventing rapid token accumulation through exchange purchases or requiring voting delays that would allow community mobilization. The vulnerability applied broadly to protocols using simple token-weighted voting without additional safeguards.
MiningPool content is intended for information and educational purposes only and does not constitute financial, investment, or legal advice.
Advertisement
728×90
Related Stories
Markets
A 1inch Liquidity Provider Lost $6.7 Million Because Its Allowlist Function Had No Access Control — and the Attacker Is the Same One That Drained $5 Million in 2025
TrustedVolumes, a market maker resolving orders for 1inch Fusion, was drained across 85 transactions on May 7 after an attacker added themselves to the contract's signer allowlist — a function any wallet could call.
·James Gray
Markets
A Drift Trader's Class Action Says Circle Watched $230 Million in USDC Cross CCTP and Did Nothing — and the Lawyers Have Receipts
A class action filed in April alleges Circle had both the technical capability and a recent track record of freezing wallets, then declined to act for eight hours while $230 million in stolen USDC moved out of Solana through its own bridge.
·Alex Turner
Markets
Aave Filed an Emergency Motion to Unfreeze $71 Million in Recovered ETH — and Asked the Court for a $300 Million Bond if It Loses
Aave's 29-page filing argues that briefly-stolen ETH cannot be treated as North Korean property, even when Lazarus Group was the thief — and warns the SDNY restraining order could chill every future DeFi hack recovery.
·Sarah Blake
Markets
Coinbase Asset Management Launches CUSHY Credit Fund — Investors Can Hold Their Shares as Tokens on Ethereum, Solana or Base
Coinbase Asset Management opened a stablecoin-linked institutional credit fund on Thursday, with investors able to hold their shares either through traditional channels or as tokens minted on Ethereum, Solana or Base via Superstate's FundOS platform.
·Tom Chen
Markets
Wasabi Protocol Lost $4.55 Million Because One Wallet Held the Admin Role for the Whole System
Wasabi Protocol's deployer EOA held the only ADMIN_ROLE for the entire permission system, and an attacker drained roughly $4.55 million from perp vaults across four chains. The vulnerability was governance, not code.
·Sarah Blake
Markets
Tropykus Pulls the Plug on Its Bitcoin Lending Protocol After a Money on Chain Audit Found Holes Its Immutable Code Could Not Patch
The Colombia-born lending protocol on Rootstock told users on April 27 they have three months to withdraw before the web interface goes dark, blaming a 2021 architecture that cannot be fixed without redeploying.
·Oliver Woodford
Stay informed
Verifiable crypto journalism, delivered to your inbox.
Weekday mornings. No hype. No financial advice. Just what happened and why it matters.
No spam. Unsubscribe anytime. Read our privacy policy.