It’s all but impossible to carry out a governance attack against Meta.

Shareholder activism is a non-starter in Mark Zuckerberg’s empire, as the company’s dual-class share structure – where insider-held Class-B shares have more voting weight than Class-A shares available to the public – means that Zuckerberg maintains approximately 58% voting control of the company.

But in the world of decentralized autonomous organizations (DAOs), which are in many ways analogous to corporations, it’s one token for one vote.

That is how a whale – a large token holder – who goes by the handle Humpy and his “GoldenBoys”, an affiliate group directed by Humpy or perhaps Humpy themselves, ran what some called a “governance attack” against the lending protocol Compound.

They used their collective voting might to allocate $24 million worth of COMP tokens into a yield-bearing protocol called goldCOMP, controlled by them, to generate passive income for token holders.

Recently, a court filing by the FTX estate appeared to ‘dox’ — or name — Humpy and accused him of having ties to criminal networks. Nawaaz Mohammad Meerun, the person behind the alias, said in a statement to CoinDesk that the allegations of criminal connections are false.

Although some have described the “attack” as a consequence of voter apathy, OpenZeppelin, a security audit firm that Compoud’s DAO has an engagement with, and an active participant on its governance forum sees it differently.

In an interview with CoinDesk during Devcon, Michael Lewellen describes what Humpy did as an exploit on the model itself.

“Governance models that are token holder dominant, where there are no checks on token holders in any meaningful sense, are ultimately all susceptible to this. It’s just a question of when,” he said during a recent interview with CoinDesk.

In Lewellen’s mind, while decentralization is a critical principle for blockchain technology, one that ensures trustlessness and security, it’s going to be a challenge to implement for governance.

“Decentralization is like an objective good, but it’s not a good in governance the same way it’s a good in blockchain,” he said. “More voices in that discussion aren’t necessarily better if a lot of those voices are not aligned with the DAO and are not informed.”

Know-your-customer (KYC) initiatives are part of the future of DAO governance, Lewellen says, and the industry needs to figure out how to do this to introduce accountability without compromising anonymity.

“There should be a way to verify this is a real person, and they’re not pretending to be others. For instance, zero-knowledge cryptography can help verify identities without exposing personal information,” he said.

Such measures would also prevent actors like Humpy from creating multiple delegate profiles to manipulate governance.

“If someone has significant governing power, they should be upfront about it,” Lewellin argued. “People should have the chance to recognize exactly what sort of influence they have and have the ability to counter it if necessary.”

And to prepare for another “Humpy,” DAOs need to engage in wargaming exercises.

“Threat modeling for worst-case scenarios should be a standard practice,” Lewellin said. “Teams need real answers to questions like: What if a malicious actor acquires significant voting power? How do we respond on-chain?”

Apathy remains a significant challenge in DAO governance, with voter participation often low, meaning a solution lies in incentivizing good participatory behavior. Somehow, DAOs need to adopt governance models that prioritize decision-making quality over quantity, ensuring that critical decisions – especially those involving user funds and protocol security – are handled with care and expertise, rather than left solely to those holding the most tokens.

“We need to give token holders reasons to be responsible stewards of the protocol,” Lewellin said. “By rewarding participation, we can ensure that governance decisions are made by informed and engaged stakeholders.”

In an ideal world, DAOs that handle billions of dollars would structure their governance more like Meta and less like their current iteration.

“We need governance systems that reflect this reality, systems that balance decentralization with safeguards to ensure long-term sustainability,” Lewellin said.