BonkDAO’s $20M treasury drained after attacker spends $4.4M on BONK tokens to hijack governance vote

BonkDAO’s $20M treasury drained after attacker spends $4.4M on BONK tokens to hijack governance vote

Only seven wallets voted on the proposal that emptied the meme coin DAO's entire treasury, exposing a fundamental flaw in token-weighted governance

Someone just bought their way into controlling an entire DAO treasury. And the worst part? They did it completely within the rules.

A single wallet spent approximately $4.4 million acquiring BONK tokens on exchanges including Binance and Bybit in late June 2026, accumulating enough voting power to pass a governance proposal that automatically transferred roughly 4.426 billion BONK tokens, worth around $20 million, out of BonkDAO’s treasury and into the attacker’s wallet.

How a $4.4M bet turned into a $20M payday

Here’s the thing about BonkDAO’s governance structure on the Realms platform: it only required a 1% quorum to pass proposals. In English, that means if just 1% of eligible voting power showed up and said “yes,” a proposal would execute automatically. No human review. No time delay. No second opinion.

The attacker understood this perfectly. After accumulating enough BONK tokens to command more than 99% of the votes on any given proposal, they submitted BIP #76 around June 30, 2026. The proposal, which effectively authorized the transfer of the entire treasury to the attacker’s wallet, went to a vote.

Advertisement

Seven wallets voted. Out of more than 18,000 BonkDAO members, seven showed up.

On July 6, 2026, the proposal executed automatically, and the treasury was emptied. No smart contract exploit. No flash loan attack. No zero-day vulnerability. Just someone who read the governance docs and did the math.

The governance problem hiding in plain sight

This wasn’t a hack in the traditional sense, and that’s exactly what makes it so alarming. The attacker didn’t break anything. They used the system as designed. Token-weighted voting, the mechanism where your influence scales with how many tokens you hold, has always had this theoretical vulnerability. BonkDAO just became the most expensive proof of concept.

The 1% quorum threshold was supposed to ensure that governance didn’t grind to a halt due to voter apathy. Instead, it created a situation where voter apathy became the attack vector itself. When 99.96% of your membership doesn’t participate in votes, the cost of capturing governance drops dramatically.

BonkDAO’s governance had direct, unrestricted access to the treasury, with no execution delays or additional checks permitting a well-funded participant to pass proposals with ease.

Market fallout and the scramble to respond

BONK’s price dropped approximately 7-8% immediately after news of the treasury drain spread.

BonkDAO has stated it is collaborating with exchanges, bridges, and law enforcement to track and potentially freeze the stolen funds.

For investors evaluating DAO-governed projects, this incident introduces a new risk metric worth considering. How much would it cost to capture governance relative to the treasury size? If that ratio is as lopsided as it was for BonkDAO, where $4.4 million in token purchases unlocked $20 million in treasury assets, the protocol is carrying a vulnerability that no smart contract audit will catch.

Several potential fixes exist. Time-locked execution periods would give communities a window to mobilize against malicious proposals. Higher quorum requirements would raise the cost of attack but also risk paralyzing governance. Multisig controls on treasury disbursements would add a human check on automated execution. Quadratic voting would reduce the influence of whale-sized positions. None of these are perfect, but all of them would have prevented a seven-wallet vote from draining $20 million.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

BonkDAO’s $20M treasury drained after attacker spends $4.4M on BONK tokens to hijack governance vote

BonkDAO’s $20M treasury drained after attacker spends $4.4M on BONK tokens to hijack governance vote

Only seven wallets voted on the proposal that emptied the meme coin DAO's entire treasury, exposing a fundamental flaw in token-weighted governance

Someone just bought their way into controlling an entire DAO treasury. And the worst part? They did it completely within the rules.

A single wallet spent approximately $4.4 million acquiring BONK tokens on exchanges including Binance and Bybit in late June 2026, accumulating enough voting power to pass a governance proposal that automatically transferred roughly 4.426 billion BONK tokens, worth around $20 million, out of BonkDAO’s treasury and into the attacker’s wallet.

How a $4.4M bet turned into a $20M payday

Here’s the thing about BonkDAO’s governance structure on the Realms platform: it only required a 1% quorum to pass proposals. In English, that means if just 1% of eligible voting power showed up and said “yes,” a proposal would execute automatically. No human review. No time delay. No second opinion.

The attacker understood this perfectly. After accumulating enough BONK tokens to command more than 99% of the votes on any given proposal, they submitted BIP #76 around June 30, 2026. The proposal, which effectively authorized the transfer of the entire treasury to the attacker’s wallet, went to a vote.

Advertisement

Seven wallets voted. Out of more than 18,000 BonkDAO members, seven showed up.

On July 6, 2026, the proposal executed automatically, and the treasury was emptied. No smart contract exploit. No flash loan attack. No zero-day vulnerability. Just someone who read the governance docs and did the math.

The governance problem hiding in plain sight

This wasn’t a hack in the traditional sense, and that’s exactly what makes it so alarming. The attacker didn’t break anything. They used the system as designed. Token-weighted voting, the mechanism where your influence scales with how many tokens you hold, has always had this theoretical vulnerability. BonkDAO just became the most expensive proof of concept.

The 1% quorum threshold was supposed to ensure that governance didn’t grind to a halt due to voter apathy. Instead, it created a situation where voter apathy became the attack vector itself. When 99.96% of your membership doesn’t participate in votes, the cost of capturing governance drops dramatically.

BonkDAO’s governance had direct, unrestricted access to the treasury, with no execution delays or additional checks permitting a well-funded participant to pass proposals with ease.

Market fallout and the scramble to respond

BONK’s price dropped approximately 7-8% immediately after news of the treasury drain spread.

BonkDAO has stated it is collaborating with exchanges, bridges, and law enforcement to track and potentially freeze the stolen funds.

For investors evaluating DAO-governed projects, this incident introduces a new risk metric worth considering. How much would it cost to capture governance relative to the treasury size? If that ratio is as lopsided as it was for BonkDAO, where $4.4 million in token purchases unlocked $20 million in treasury assets, the protocol is carrying a vulnerability that no smart contract audit will catch.

Several potential fixes exist. Time-locked execution periods would give communities a window to mobilize against malicious proposals. Higher quorum requirements would raise the cost of attack but also risk paralyzing governance. Multisig controls on treasury disbursements would add a human check on automated execution. Quadratic voting would reduce the influence of whale-sized positions. None of these are perfect, but all of them would have prevented a seven-wallet vote from draining $20 million.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.