Simple Summary: Notice for all Voting Delegates.
An unexpected proposal was recently created on May 6th, 2024. The proposal would transfer 5% of the COMP treasury to a Multi-sig that it claims is controlled by the “Golden Boys” for the purposes of investing the funds in a goldCOMP DeFi vault for generating treasury yield. The account making this proposal was delegated 95K COMP a week ago. The proposal was not discussed prior in the forums and the delegate did not identify itself to the community prior to the proposal being created. There are additional new delegations that have been made that raise concerns that this is possibly a coordinated governance attack.
Background
OpenZeppelin’s monitoring in the security-alerts Discord feed have identified a number of new COMP delegations between April 29th and May 2nd. To summarize the impact of these alerts so far, there are 5 addresses that are all withdrawing COMP from the ByBit exchange hot wallet. All 5 delegated voting accounts follow the same withdraw pattern so we can assume it belongs to the same entity.
- 0x4f3a - 42,695 COMP delegated
- 0x9d03 - 40,012 COMP delegated
- 0x93cb - 39,188 COMP delegated
- 0x4ac0 - 48,724 COMP delegated
- 0xc64c - 59,714 COMP delegated
These 5 accounts represent a combined total of 230,333 COMP. This represents over half of the 400K quorum threshold to pass a proposal. On May 1st, 2024, we alerted the community of the risk that these delegates could be in support of a potential governance attack.
It’s unclear that the proposer, 0x36cc, for Proposal 247 is related to these other accounts that sourced their COMP from ByBit. However, the timing of the new proposal and these recent delegations is suspicious.
Assuming that these accounts are all connected and coordinated, they represent a combined total of 325,333 COMP, which is only 74,667 COMP short of the quorum threshold. There may be other smaller delegations or accounts supporting this potential attack that could get them beyond the quorum threshold.
It’s important to note that neither of these delegations may be malicious in nature and could simply be coincidental. However, OpenZeppelin believes that the high amount of COMP recently delegated and timing of this unexpected proposal prompts a high-level of community scrutiny.
Call to Action
We recommend that all governance delegates review Proposal 247 and share their thoughts on the proposal in the thread below. We urge ALL governance delegates to be prepared to vote on Proposal 247 in case a large number of new delegate votes come into play.
We further recommend that the proposers behind Proposal 247 engage in community discussion about their proposal so due diligence can be performed. An account called “Humpy - Golden Boys” recently identified itself on the community Discord.
Disclaimer: OpenZeppelin has no opinion on Compound’s governance decisions beyond its security mandate. We have posted this notice and raised this concern due to the potential patterns we see matching a coordinated governance attack. We are entirely neutral on the content of Proposal 247, although we generally recommend that proposals allocating funds from Treasury should be discussed with the community prior to submission on-chain.