Breaking

Attacker spends $4.4m to drain $20m from BonkDAO treasury

Attacker spends $4.4m to drain $20m from BonkDAO treasury

The cheapest way to drain a decentralised treasury is not to break the code — it is to buy the votes. On July 6, 2026, an attacker spent roughly $4.4 million accumulating Bonk (BONK) tokens, used that stake to pass a governance proposal, and walked away with about $20 million from the BonkDAO treasury. Nothing was exploited in the smart-contract sense: the vote was valid, the quorum was met, and the rules worked exactly as written. That is precisely why this governance attack should worry every Decentralised Autonomous Organisation (DAO) that holds a treasury — the economics were positive-EV, roughly 4.5 dollars extracted for every dollar spent.

The mechanics expose how thin on-chain governance can be. By acquiring just over one percent of BONK’s supply, the attacker cleared the quorum threshold and became the decisive voter in a low-turnout ballot. When the vote closed, wallets linked to the attacker controlled about 99.878 percent of the votes cast — 882.38 billion BONK against a 879.95 billion threshold — and the proposal to move treasury assets passed with 99.9 percent “yes.” Only seven wallets voted, against more than 18,000 members who did not, a turnout of 2.9 percent, according to CoinDesk. Some 4.4 trillion BONK left the treasury for attacker-controlled wallets.

The response has centred on containment. BonkDAO said it is coordinating with the Solana Foundation and exchanges to trace and freeze the stolen assets, and it moved quickly to identify the trail. “During the investigation, BonkDAO identified the exchange wallets used to purchase BONK ahead of the proposal,” the DAO said in its post-incident statement. That matters because portions of the stolen BONK have already begun moving to exchanges — early tracing showed roughly $188,000 cashed out and several million more in tokens sold — raising the risk the attacker liquidates before venues can act. BONK fell about seven percent in the 24 hours after the drain.

Security researchers were blunt about the classification. Yu Xian, co-founder of blockchain security firm SlowMist, characterised the episode as not a hack at all, noting that the attacker simply spent around $4 million to accumulate enough BONK to swing the vote and then transferred more than 4.4 trillion tokens once it passed. That framing is the uncomfortable part for the sector: if governance is doing what it was designed to do, the vulnerability is the design, not a bug. As analysts have noted in breaking down how the vote was captured, governance can become a protocol’s weakest security layer when quorum thresholds are low and voter turnout is thin.

The pattern is not new, which makes the recurrence telling. In 2022, the Beanstalk protocol lost about $180 million when an attacker used a flash-loaned governance majority to approve a malicious proposal in a single transaction. BonkDAO is the slower, cheaper variant — accumulate the tokens over days on the open market rather than borrow them for one block — but the failure mode is identical: concentrated voting power meeting a permissive quorum. For a market that has spent heavily on smart-contract audits, the through-line is that audited code does not protect a treasury whose governance can be bought. Exchanges and infrastructure providers have leaned into user-protection funds — MEXC, for instance, launched a $100 million fund to cover users from hacks — but those backstops do not reach DAO treasuries governed by token votes.

The institutional read matters because Solana’s on-chain economy is increasingly where regulated activity is heading. The chain has led tokenised-equity settlement — The Industry Spread has tracked its tokenised-stock ecosystem leading all chains — and capital keeps forming around it, from billion-dollar Solana treasuries to institutional DeFi tooling of the kind Talos built through its Skolem acquisition. Governance risk in that environment is not a meme-coin sideshow; it is a question of whether tokenholder-controlled treasuries can be trusted to custody real value.

Expect the near-term fix to be procedural rather than technical: higher quorum floors, timelocks that delay treasury execution long enough for a community to react, vote-escrow models that weight long-term holders, and multisig guardrails on treasury movements. Whether BonkDAO recovers any of the $20 million depends on how fast exchanges freeze the inbound BONK. The wider signal is that as tokenised assets and institutional capital migrate on-chain, the security budget has to move from the contract layer to the governance layer — because the next attacker will also read the quorum math before spending a dollar.

This article is informational analysis only and is not financial, investment, or trading advice. Cryptocurrencies are highly volatile and can lose substantial value rapidly. Past performance and historical patterns do not guarantee future results. Do your own research and consult a regulated financial adviser before making any investment decision.

Karthik Subramanian is a founder, writer, and technology consultant with nine years in the crypto ecosystem. He covers token economics, L1/L2 infrastructure, DeFi protocols, wallets/custody, and the bridge between crypto and forex—broker technology, liquidity, and macro drivers. Karthik’s writing focuses on clear, practical frameworks that help professionals evaluate new products and on-chain innovation alongside FX market realities.

Most Read

Related Posts

Imdustry insights

Stay Ahead

Get the latest news, insights, and market updates delivered to your inbox every day.

Enter your email address