Simple Summary: Notice for all Voting Delegates.

An unexpected proposal was recently created on May 6th, 2024. The proposal would transfer 5% of the COMP treasury to a Multi-sig that it claims is controlled by the “Golden Boys” for the purposes of investing the funds in a goldCOMP DeFi vault for generating treasury yield. The account making this proposal was delegated 95K COMP a week ago. The proposal was not discussed prior in the forums and the delegate did not identify itself to the community prior to the proposal being created. There are additional new delegations that have been made that raise concerns that this is possibly a coordinated governance attack.

Background

OpenZeppelin’s monitoring in the security-alerts Discord feed have identified a number of new COMP delegations between April 29th and May 2nd. To summarize the impact of these alerts so far, there are 5 addresses that are all withdrawing COMP from the ByBit exchange hot wallet. All 5 delegated voting accounts follow the same withdraw pattern so we can assume it belongs to the same entity.

1. 0x4f3a - 42,695 COMP delegated
2. 0x9d03 - 40,012 COMP delegated
3. 0x93cb - 39,188 COMP delegated
4. 0x4ac0 - 48,724 COMP delegated
5. 0xc64c - 59,714 COMP delegated

These 5 accounts represent a combined total of 230,333 COMP. This represents over half of the 400K quorum threshold to pass a proposal. On May 1st, 2024, we alerted the community of the risk that these delegates could be in support of a potential governance attack.

It’s unclear that the proposer, 0x36cc, for Proposal 247 is related to these other accounts that sourced their COMP from ByBit. However, the timing of the new proposal and these recent delegations is suspicious.

Assuming that these accounts are all connected and coordinated, they represent a combined total of 325,333 COMP, which is only 74,667 COMP short of the quorum threshold. There may be other smaller delegations or accounts supporting this potential attack that could get them beyond the quorum threshold.

It’s important to note that neither of these delegations may be malicious in nature and could simply be coincidental. However, OpenZeppelin believes that the high amount of COMP recently delegated and timing of this unexpected proposal prompts a high-level of community scrutiny.

Call to Action

We recommend that all governance delegates review Proposal 247 and share their thoughts on the proposal in the thread below. We urge ALL governance delegates to be prepared to vote on Proposal 247 in case a large number of new delegate votes come into play.

We further recommend that the proposers behind Proposal 247 engage in community discussion about their proposal so due diligence can be performed. An account called “Humpy - Golden Boys” recently identified itself on the community Discord.

Disclaimer: OpenZeppelin has no opinion on Compound’s governance decisions beyond its security mandate. We have posted this notice and raised this concern due to the potential patterns we see matching a coordinated governance attack. We are entirely neutral on the content of Proposal 247, although we generally recommend that proposals allocating funds from Treasury should be discussed with the community prior to submission on-chain.

The proposer of Proposal 247 has made a post here: Treasury to Invest 5% of COMP holdings into goldCOMP Vault

Thank you for your diligence @cylon and the rest of the team at OpenZeppelin.

On behalf of Blockchain at Columbia, we are strongly against the proposal. On top of the high potential of it being a malicious governance attack, the negligible track record of the proposer and the lack of any community discussion prior to submission is cause for concern in its own right. Passing such a proposal would set a dangerous precedent for Compound, regardless of whether malicious or not.

In an effort to curb serious concerns about the integrity of our governance process, we echo OpenZeppelin’s call to action and recommend that all delegates review Proposal 247.

Thanks @cylon for flagging.

Irrespective of the abnormal behaviour, going straight to an on-chain proposal without forum/community discussion is not conducive to a healthy governance environment and is something we are strongly against. There has been zero attempt to gauge community sentiment or incorporate feedback. Lastly, there is no strong reason why the COMP needs to be transferred into a multi-sig and out of the control of the DAO.

We will be voting against this proposal and urge other delegates to do the same.

Thanks @cylon and OpenZeppelin team.

wow. They’ve already added COMP in their homepage.

I will be voting against 247 proposal.

I was wondering the whole COMP amount they collected from the lending service on ByBit exchange.

As with the many points prior, we are voting against this proposal and wish for more discussion if this was a proposal in good faith.

Proposals like this are unlikely beneficial to the prosperity of Compound. We will be voting against.

It’s important for proposals to allow adequate time for discussion before being submitted, and the goldCOMP proposal hasn’t fulfilled this.

Other issues with the specific prop:

• Unsafe admin authority for granted COMP (sent to multisig with unknown security/accountability characteristics)
• Investment strategy itself is somewhat abusive to Balancer’s liquidity incentives program
• 99/1 Balancer pools have some non-negligible potential for divergence loss, which proposal does not address
• goldCOMP token has unclear security characteristics

I’m not completely opposed to the idea of protocol owned liquidity or investment strategies but this proposal is coming up short. Humpy is welcome to engage with the community to see if there’s scope for a viable proposal.

Hello,
Thank you all for the feedback. The Golden Boys team have acknowledged the various criticisms, most importantly not having prior discussion before onchain vote. Thus proposal 247 has now been cancelled.

Unsafe admin authority for granted COMP (sent to multisig with unknown security/accountability characteristics)

GOLD Multisig is a 3 of 5, consisting of following members:
Gosuto - ( Warpcast ) , Ogle - ( @cryptogle ) , Alonso - Gold Growth Lead @baselordeth
Andrea - ex Balancer lead & DeFi adviser , Humpy - Early DeFi adopter Whale

Investment strategy itself is somewhat abusive to Balancer’s liquidity incentives program

The goldComp pool does not receive any incentives from Balancer, as rewards are paid in GOLD tokens

99/1 Balancer pools have some non-negligible potential for divergence loss, which proposal does not address

We will address this by clearly stating that any Divergence loss, though very minimal in a 99-1 ratio pool, will be fully covered by Gold’s treasury.

goldCOMP token has unclear security characteristics

goldCOMP is open sourced: GitHub - HumpysGold/goldCOMP,
An Audit was performed here
Further review of audited codebase is welcomed.