BonkDAO hacked for $20M in BONK tokens via malicious governance proposal
An attacker spent roughly $4 million in BONK to buy enough voting power to drain the DAO's treasury, exposing a fundamental flaw in token-weighted governance systems.
Someone just bought their way into BonkDAO’s treasury. The attacker spent approximately $4 million in BONK tokens to accumulate enough voting power on Solana’s Realms governance platform to pass a malicious proposal, then walked away with roughly $20 million in BONK from the DAO’s coffers.
How a $4M vote became a $20M heist
The attack on July 6 exploited the most basic feature of token-weighted governance: whoever holds the most tokens wins the vote. The assailant acquired enough BONK to secure a majority, then pushed through a proposal that effectively authorized the treasury to be drained.
Once the proposal passed, the stolen tokens were quickly moved toward exchanges. South Korean exchange Upbit responded by temporarily suspending BONK deposits and withdrawals, cutting off at least one exit route.
BonkDAO historically controlled around 15-16% of the total BONK supply, making its treasury a sizable target. BONK’s price dropped by over 9-10% in the immediate aftermath.
The response and recovery effort
BonkDAO has moved quickly on the investigative front. The team says it has identified the wallets used in the attack and is working with law enforcement, exchanges, and the Solana Foundation to trace and potentially recover the stolen funds.
A familiar vulnerability, still unpatched
Similar exploits have hit other platforms throughout 2025 and 2026, and the playbook is almost always the same: accumulate tokens, pass a malicious proposal, drain the treasury.
Solutions exist. Timelocks, which create a delay between when a proposal passes and when it executes, give the community time to spot and block malicious actions. Multisig requirements add human oversight to treasury transactions. Quorum thresholds can be raised to make hostile takeovers more expensive. BonkDAO apparently had none of these safeguards in place, or at least none robust enough to stop an attacker willing to spend $4 million.
What this means for investors
The immediate market impact, a 9-10% price drop, is relatively contained for a memecoin. But the treasury losing $20 million doesn’t just mean fewer resources for development and marketing — it signals to the market that the project’s governance infrastructure wasn’t battle-tested.
The math on this attack is almost embarrassingly simple: spend $4 million, steal $20 million. Until DAOs make that equation unprofitable, it’s going to keep happening.