In late July 2024, an attack on Compound Governance took place, carried out by a DeFi whale known as "Humpy Is Gold". Essentially, a proposal was passed to move $500,000 COMP (about $25 million) to a vault managed by Humpy and the Goldenboys. This whale had previously had "discussions" with other whales on the Balancer and Sushiswap protocols.
HOW GOVERNANCE WORKS
Simply any user who owns the protocol's tokens ($Comp in this case) can propose proposals on the official forum and then deposit guarantees to start the voting process. Who votes? The protocol's stakers. If a prop reaches a quorum and the "yes" prevails over the "no", it is executed. The vote is not the same for everyone but depends on how many tokens you own. Voting power increases as your tokens increase. For these reasons, when choosing a delegator/validator, it is better to distribute the tokens on smaller accounts (or nodes). This favors decentralization.
START OF THE ATTACK BUT THE PROPOSAL IN THE DAO DOES NOT PASS
Between the end of April and the beginning of May there were suspicious $Comp delegations to Humpy coming from a Bybit hot wallet.
The Goldenboys may not be related to these accounts but the timing is that so it cannot be ruled out.
This vault controls about 325K $Comp, only 74,667 less than the quorum. Goldenboys in a Governance prop proposes to invest 5% of the Compound treasury in the goldCOMP vault, the idea is to use them for yield farming.

Humpy, the leader of the Goldenboys, proposes:
-1 year deposit of 92K $Comp in their goldCOMP vault.
-Transfer of these tokens to the Golden Boys multi-sig wallet
$Comp stakers (including Wintermute and FranklinDAO) reject this proposal, citing:
-Lack of insurance or guarantees on future multi-sig actions (they could have dumped the tokens causing the price to collapse)
-Concerns about transferring large amounts of treasury funds without adequate guarantees
Result: proposal fails.
SECOND PROPOSAL FAILS
A few days later, Humpy creates a new proposal called "Trust Setup" addressing the problems of DAO by trying to implement a contract with the aim of reducing the multi-sig problems but this time it fails again and the "no" wins.
THE ATTACK SUCCESSES
At the end of July he tries the previous proposal again, asking for 5 times more! About 25 million dollars. This time the proposal passes!
Once Humpy's proposal has passed, he will control over 10% of the total $Comp supply, with the risk of being able to pass any governance proposal he wants, damaging Compound.
DAO RESPONSE AND ACTION PLAN
There are two defensive proposals thought up by the community:
-Transfer the TimelockAdmin function to Compound Community multisig
-Risk parameter updates

The idea is to transfer the TimelockAdmin (administration rights) to a new multisig as a precaution. The Timelock is used to manage protocol changes. Any change goes through this function and there is a 2-3 day delay between approval and execution. The TimelockAdmin is the entity that has the power to control the Timelock. This role allows you to propose, cancel or execute changes that affect the protocol. Compound Community Multisig is a multisig address controlled by multiple members of the Compound community used in extreme situations. In essence, this is a wallet that requires multiple signatures to approve operations.
Transferring the TimelockAdmin role to the Compound Community Multisig would have meant distributing power to more community members. The multisig admin can set a timelock for governance proposals. However, even if this TimelockAdmin proposal passed, it would have passed after Humpy's proposal. Beyond the $Comp transfer, the big risk would have been that GoldenBoys would then have full decision-making power over the protocol (51% attack) and could theoretically drain the rest into the treasury.

Humpy would not have had 51% of the total supply, but his share is so significant that it would be difficult to reverse it in a DAO prop. Once executed, Humpy would have had 500K $COMP in the transferred vault. This entity as you can see is a whale and its dosed wallets hold from 5 to 50 million dollars:
0xae0baf66e8f5bb87a6fd54066e469cdfe93212ec
0x36cc7b13029b5dee4034745fb4f24034f3f2ffc6
0x1e7267fa2628d66538822fc44f0edb62b07272a4
0xc0a893145ad461af44241a7db5bb99b8998e7d2c

Every DAO should pay attention to situations like this because similar attacks cannot be countered on chain. Governance risk is just like real market risk and smart contract risk because then tokens could be dumped.
PEACE TREATY
Humpy and Compound governance then reached an agreement that Compound DAO would commit to funding and building a new staking product, responding to the “interests” of Humpy delegates and $Comp stakers in response to Proposition 289. That is, additional yield produced by the protocol would be distributed to $Comp stakers. The agreement allows for future changes to the governance of the staking vault parameters. This agreement is quite opaque and leaves room for strategic maneuvering on both sides. The DAO can adjust the parameters of vault distribution for “sustainable growth,” but it is unclear whether these can be changed before the vaults are implemented. This is a delayed and indirect payment to the “exploiter,” as opposed to the immediate bounties typical of white hat attacks (i.e. I find a bug in a protocol and steal the funds, return the funds, and get a bounty in return). Humpy accepted the counterproposal, so Prop289 will be rescinded.
Are you interested in ways to earn crypto bonus? Check it out here: Some Sites To Earn Crypto Bonus (Old & New)