On July 7, 2026, BonkDAO — the DAO governing the BONK memecoin ecosystem on Solana — confirmed a governance attack that drained approximately $20 million in BONK from its treasury. The attacker never touched a line of smart-contract code; they simply bought enough voting power to pass a malicious proposal that transferred the funds to themselves.
What happened
The exploit subverted BonkDAO's on-chain voting on the Realms governance platform. Over several days, the attacker quietly accumulated BONK through exchange wallets — an estimated $4 million in open-market purchases — building enough voting weight to force a proposal through without tipping off the community.
The malicious proposal, which authorised the transfer of roughly 4.426 trillion BONK from the DAO treasury, sat live for about six days. Turnout was almost nonexistent: only seven wallet addresses ended up voting, and wallets linked to the attacker controlled roughly 99.878% of that vote. With the quorum effectively captured, the proposal passed cleanly and the treasury tokens were sent to an attacker-controlled wallet.
Aftermath
- BONK's market price slid roughly 8-9% as news of the drain spread.
- BonkDAO said it is coordinating with the Solana Foundation and centralised exchanges to track and freeze the stolen assets, and that it has notified law enforcement.
- No funds had been recovered at the time of writing; the status remains stolen.
Why it matters
The BonkDAO incident is a textbook governance capture — the same class of attack as Beanstalk, where an attacker used borrowed voting power to pass a self-serving proposal, and the malicious-proposal takeover of the Tornado Cash governance contracts. Unlike a flash-loan governance attack, though, the BonkDAO takeover required no exploit at all: the attacker paid real money for real votes on the open market, exploiting nothing but apathetic turnout and a low quorum.
That makes it a structural warning rather than a bug report. When only seven wallets vote on a proposal that can move a treasury, the security model is not the code — it is voter participation, and here it failed completely. The lessons echo Mango Markets: treasuries governed by thin, liquid, market-purchasable voting tokens are one cheap accumulation away from being voted out of existence. Meaningful defences — timelocks on treasury transfers, quorum floors, and delayed execution windows that give the community time to react — are the difference between a suspicious proposal being noticed and a treasury being emptied.
Sources & on-chain evidence
- [01]coindesk.comhttps://www.coindesk.com/markets/2026/07/07/bonk-faces-usd20-million-treasury-drain-after-attacker-spends-usd4-million-to-pass-malicious-proposal
- [02]therecord.mediahttps://therecord.media/attackers-vote-themselves-20-million-bonk-crypto
- [03]news.bitcoin.comhttps://news.bitcoin.com/bonkdao-treasury-loses-20m-in-malicious-governance-attack-bonk-slides-8/
- [04]cryptobriefing.comhttps://cryptobriefing.com/bonkdao-hacked-20m-malicious-proposal/