BonkDAO Suffers Governance Attack: How Did the Attacker Use $4.4 Million to Leverage a $20 Million DAO Treasury?

On July 6, 2026, BonkDAO, a leading Meme coin project on the Solana ecosystem, suffered a malicious governance attack. Through a malicious governance proposal, the attacker transferred approximately $20 million worth of BONK tokens from the DAO treasury. Unlike traditional smart contract vulnerability attacks, this attack fully exploited the DAO's on-chain governance mechanism—the attacker spent about $4.4 million to purchase BONK tokens to gain sufficient voting power, then unilaterally passed the proposal and executed the fund transfer. This incident not only caused a sharp decline in BONK's price but also triggered deep industry reflection on the security framework of DAO governance.

How Did the Attacker Steal $20 Million Through Governance Voting?

The origin of this attack can be traced back to June 30. An anonymous wallet submitted a proposal titled "BIP 76 - Sowellian BonkDAO" on the Realms governance platform of the Solana ecosystem. The proposal ostensibly claimed to implement a new governance plan, "rebuild from the ruins," and "liquidate holdings," but its true intent was to transfer approximately 4.426 trillion BONK tokens (worth about $20 million) from the treasury to a wallet controlled by the attacker. According to BonkDAO's governance rules, passing a proposal requires reaching a quorum threshold of 1% of the total BONK supply in favor, i.e., about 879.95 billion BONK. Between July 4 and 5, the attacker spent about $4.4 million across multiple exchanges to purchase BONK tokens exactly reaching this threshold. Voting ended on July 6. Data shows that only 7 wallets participated in the vote, while BonkDAO had over 18,000 members who did not vote, resulting in a voter turnout of only 2.9%. The addresses controlled by the attacker held 99.878% of the voting power, and the proposal was passed with 99.9% "yes" votes. After the proposal passed, approximately $20 million worth of BONK was automatically transferred from the treasury to the attacker's wallet. After completing the fund transfer, the attacker also renamed the DAO to "Sowellian BonkDAO."

Why Has Token-Weighted Governance Become the Achilles' Heel of DAO Security?

The essence of this attack is the malicious exploitation of the inherent flaws in the token-weighted voting mechanism. The attacker did not discover any smart contract vulnerabilities or break any cryptographic mechanisms—he simply bought tokens on the open market, submitted a proposal, and cast a yes vote. Each step was "legal" on-chain, but combined they constituted a theft. The core issue lies in the "buy-and-vote-immediately" governance design. If the governance mechanism allows users to buy tokens on the same day and use them for voting on the same day, attackers gain the opportunity for a "blitz." In more extreme cases, if the protocol does not support flash loan protection, attackers can even obtain a massive amount of tokens through borrowing in an instant to vote. Between 2025 and 2026, multiple protocols on Solana and other chains suffered similar governance manipulation attacks, with flash loan vulnerabilities being particularly common. Another key vulnerability in the BonkDAO attack is low voter turnout. Over 18,000 members did not vote, allowing the attacker to pass a proposal involving $20 million in treasury assets with just 7 wallets and a 2.9% turnout. This reveals a deep contradiction: DAO governance power theoretically belongs to all token holders, but in practice, voter apathy actually concentrates governance power among a few active participants.

Where Did the Funds Flow After the Attack? Why Did Upbit Suspend Deposits and Withdrawals?

After the attack, the stolen BONK tokens quickly began moving to multiple cryptocurrency exchanges. On-chain data shows that about 9 hours after the attack, approximately $188k was sent to an exchange, suspected to be cashed out; the remaining approximately $19 million was transferred to a multi-signature wallet that requires multiple approvals to move funds. The flow of stolen funds to exchanges directly triggered market-level reactions. The Korean exchange Upbit announced a temporary suspension of BONK deposits and withdrawals after the incident to limit the movement of potentially stolen assets through its platform. This measure is common in large-scale token attacks—attackers typically try to convert stolen assets into more liquid cryptocurrencies or transfer through centralized platforms before tracking becomes effective. BonkDAO stated that it has notified law enforcement and is working with exchanges, cross-chain bridges, the Solana Foundation, and relevant law enforcement agencies to track the stolen funds and explore recovery options. However, once tokens are transferred to multiple platforms, exchanged for other assets, or routed through mixers, the difficulty of recovery increases significantly.

Why Did BONK's Price Drop Over 9% After the Attack Disclosure?

The market reacted quickly and directly to the treasury theft. According to Gate market data, as of July 7, 2026, BONK dropped over 9% after the attack disclosure. The Block data showed that after the stolen BONK began flowing to exchanges, it created direct downward pressure on the token price. The price decline reflects market concerns on two levels. The first layer is the direct treasury loss—$20 million accounts for a significant proportion of BonkDAO's treasury assets, and the depletion directly impacts the sustainability of future community initiatives and token burn activities. The second layer is potential selling pressure—the market fears that the attacker may try to sell the stolen tokens on centralized exchanges, and once large-scale selling occurs, it will further impact BONK's liquidity and price. Notably, as one of the most well-known Meme coins on Solana, BONK's prominence has transcended typical Meme coin trading and has been included in some exchange-traded products. This market position further amplifies the destructiveness of the governance attack—the treasury theft triggered not only price volatility but also a crisis of trust in the project's internal governance and risk control capabilities.

From BonkDAO to Industry Norm: The Evolution Trend of DAO Governance Attacks

The BonkDAO attack is not an isolated incident, but the latest in a wave of DAO governance attacks during 2025-2026. These attacks show a clear evolution trend: attackers are shifting from traditional smart contract exploitation to "within-the-rules" manipulation of governance mechanisms. First, the asymmetry between attack cost and gain is increasingly prominent. In this attack, the attacker spent only about $4.4 million to buy tokens and leveraged approximately $20 million in treasury assets, with a leverage ratio of nearly 5 times. This asymmetry makes governance attacks a highly attractive attack vector. Second, the attack method is shifting from technical vulnerabilities to institutional vulnerabilities. Unlike traditional DeFi hacks that rely on technical means like reentrancy attacks and oracle manipulation, governance attacks exploit the rules themselves. This makes the attack harder to categorize and defend against—it is not a "code vulnerability" but an "institutional vulnerability." Third, attacks are accelerating toward "industrialization." On July 7, 2026, around the time of the BonkDAO attack, blockchain security company Blockaid also identified an active attack on the DeFi yield protocol Summer.fi, with about $6 million drained. Governance attacks and security vulnerabilities are impacting the entire decentralized finance ecosystem with higher frequency and larger scale.

What Key Defenses Are Needed for DAO Treasury Security?

The BonkDAO attack exposed multiple deficiencies in DAO governance security design. The industry generally believes that the following security mechanisms should become standard configurations for DAO treasury management. Timelocks are one of the most fundamental defenses. Timelocks enforce a delay window between proposal passage and actual execution, giving the community, developers, and researchers time to discover and prevent any abnormal operations. BonkDAO lacked an effective execution delay mechanism, allowing funds to be transferred almost immediately after the proposal passed. Multi-signature is another key barrier. Controlling treasury funds through multi-signature wallets, requiring multiple trusted signers to jointly approve large transfers, can effectively prevent a single malicious proposal from directly draining the treasury. Emergency brake mechanisms provide the last line of defense. A multi-signature of guardians elected by governance can cancel malicious or erroneous proposals within the timelock window. This mechanism has been practiced in mature projects like ENS DAO. Additionally, voting power snapshot mechanisms can prevent the "buy-and-vote-immediately" attack mode—by determining voting eligibility at the time of proposal submission rather than at voting time, attackers cannot temporarily purchase tokens during the voting window to gain voting power. Increasing the quorum threshold can also effectively prevent governance manipulation under low voter turnout.

Conclusion: A $20 Million Governance Lesson

The $20 million theft from BonkDAO is one of the most representative DAO governance security incidents of 2026 so far. It demonstrates in a near "textbook" manner the fatal vulnerability of token-weighted governance mechanisms when lacking supporting security measures—attackers do not need to break code, only to understand and exploit the rules. The industry implications of this event are multifaceted. For DAO project teams, the design of governance mechanisms cannot stop at the conceptual level of "decentralization." Security mechanisms such as timelocks, multi-signatures, emergency brakes, and voting power snapshots must be mandatory standard configurations for treasury management. For token holders, participation in governance is not an option but a necessity—low voter turnout itself is the biggest security vulnerability. For the industry, DAO governance attacks are evolving from occasional incidents to systemic risks, requiring the establishment of more comprehensive governance security standards and audit frameworks. Whether the stolen funds can be recovered remains uncertain. But what is certain is that this $20 million cost is driving the entire industry to re-examine the underlying logic of DAO governance security.

FAQ

Q: How much did the attacker specifically spend in the BonkDAO attack? The attacker spent about $4.4 million to purchase BONK tokens to reach the 1% quorum threshold for governance voting. With these tokens, the attacker obtained 99.878% of the voting power in the vote. Q: Did this attack exploit a smart contract vulnerability? No. This attack fully exploited the DAO's on-chain governance mechanism, not a smart contract code vulnerability. The attacker completed the fund transfer within the rules framework by legally purchasing tokens, submitting a proposal, and voting. Q: Where did the stolen funds currently flow? The stolen approximately $20 million in BONK tokens began flowing to multiple cryptocurrency exchanges after the attack. Among them, about $188k was sent to an exchange suspected to be cashed out, and the remaining approximately $19 million was transferred to a multi-signature wallet. Q: Why did Upbit suspend BONK deposits and withdrawals? The Korean exchange Upbit, after detecting that stolen BONK began flowing to exchanges, announced a temporary suspension of BONK deposit and withdrawal services to limit the transfer of potentially stolen assets through its platform. Q: How should DAO projects prevent similar governance attacks? The industry generally recommends that DAO projects configure security measures such as timelocks (delaying proposal execution), multi-signatures (approving large transactions by multiple signers), emergency brake mechanisms (canceling malicious proposals), and voting power snapshots (preventing temporary token purchases). Q: What is the current price performance of BONK? According to Gate market data, as of July 7, 2026, BONK dropped over 9% after the attack disclosure, and is currently reported at $0.00000426.

SOL2.71%
BONK-5.99%
ENS1.64%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • Comment
  • Repost
  • Share
Comment
Add a comment
Add a comment
No comments
  • Pinned