BonkDAO hacked for $20M in BONK tokens via malicious governance proposal

1 hour ago 8

Someone just bought their way into BonkDAO’s treasury. The attacker spent approximately $4 million in BONK tokens to accumulate enough voting power on Solana’s Realms governance platform to pass a malicious proposal, then walked away with roughly $20 million in BONK from the DAO’s coffers.

How a $4M vote became a $20M heist

The attack on July 6 exploited the most basic feature of token-weighted governance: whoever holds the most tokens wins the vote. The assailant acquired enough BONK to secure a majority, then pushed through a proposal that effectively authorized the treasury to be drained.

Once the proposal passed, the stolen tokens were quickly moved toward exchanges. South Korean exchange Upbit responded by temporarily suspending BONK deposits and withdrawals, cutting off at least one exit route.

BonkDAO historically controlled around 15-16% of the total BONK supply, making its treasury a sizable target. BONK’s price dropped by over 9-10% in the immediate aftermath.

The response and recovery effort

BonkDAO has moved quickly on the investigative front. The team says it has identified the wallets used in the attack and is working with law enforcement, exchanges, and the Solana Foundation to trace and potentially recover the stolen funds.

A familiar vulnerability, still unpatched

Similar exploits have hit other platforms throughout 2025 and 2026, and the playbook is almost always the same: accumulate tokens, pass a malicious proposal, drain the treasury.

Solutions exist. Timelocks, which create a delay between when a proposal passes and when it executes, give the community time to spot and block malicious actions. Multisig requirements add human oversight to treasury transactions. Quorum thresholds can be raised to make hostile takeovers more expensive. BonkDAO apparently had none of these safeguards in place, or at least none robust enough to stop an attacker willing to spend $4 million.

What this means for investors

The immediate market impact, a 9-10% price drop, is relatively contained for a memecoin. But the treasury losing $20 million doesn’t just mean fewer resources for development and marketing — it signals to the market that the project’s governance infrastructure wasn’t battle-tested.

The math on this attack is almost embarrassingly simple: spend $4 million, steal $20 million. Until DAOs make that equation unprofitable, it’s going to keep happening.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

Read Entire Article