AI

BONK faces $20 million treasury drain after attacker spends $4 million to pass malicious proposal

· CoinDesk

The attacker bought enough of the memecoin's tokens to pass a governance proposal that sent the group's holdings to a wallet they controlled, then began selling.

  • An attacker used BONK DAO’s onchain governance system to pass a proposal that automatically drained about $20 million in BONK tokens from the project’s treasury.
  • By spending roughly $4.4 million to buy just over 1 percent of BONK’s supply, the attacker met the quorum threshold, effectively becoming a single decisive voter in a low-turnout ballot that passed with 99.9 percent “yes” votes.
  • The incident underscores how token-based governance can leave treasuries vulnerable when a temporary voting majority can be cheaply bought, reigniting debate over whether such actions are theft or merely exploitation of flawed rules.

Onchain governance was heralded a few years ago as the future of how communities run themselves. But a multimillion attack on the memecoin BONK shows the cost of putting a treasury at the mercy of a public vote anyone can buy their way into.

BONK DAO was drained of $20 million late Monday, the culmination of a week-long scheme in which an opportunistic attacker spent about $4.4 million buying up the project's bonk tokens to force through a vote. Every step was a legitimate transaction — such as the buying, the vote, the payout — and together they carried out a theft.

BONK is a Solana-based memecoin, and BONK DAO is the decentralized autonomous organization that governs it, a structure where token holders vote on proposals rather than a company making decisions. Anyone holding enough tokens can propose a change and, if a vote passes, have it execute automatically onchain.

That design was the specific weapon used in this attack.

The sequence began on June 30, when an anonymous wallet submitted a proposal to transfer the treasury's holdings to a wallet it controlled, per Chainalysis. To pass, the proposal needed yes votes equal to 1% of BONK's supply, the quorum, or minimum participation, required for it to take effect.

Over July 4 and 5, a separate wallet acquired exactly that much, spending about $4.4 million to buy BONK on the exchanges Bybit and Binance and, by one account, borrowing more through DeFi lending platforms, according to Lookonchain.

Titled "BIP #76 - Sowellian BonkDAO," the proposal passed with just seven wallets voting, against more than 18,000 members who did not, a turnout of 2.9%.

It cleared quorum by the narrowest margin, 882.38 billion BONK in favor against a 879.95 billion threshold, almost exactly the stake the attacker had spent days assembling.

The 99.9% "yes" result was effectively a single voter agreeing with itself. Its written pitch read less like a governance motion than a boast, promising to "rebuild from the ashes, monetize holdings, stop the bleeding," with a line noting that "all YES voters are eligible to receive tokens."

Beneath it sat the only instruction that should have turned heads - a transfer of 4.43 trillion BONK to the attacker's wallet.

By July 6 the voter held just enough. It cast its entire stake in favor, the proposal passed, and about $20 million in BONK automatically moved out of the treasury into the attacker's wallet.

Nine hours later, roughly $188,000 was sent to an exchange, likely to cash out, while the remaining $19 million went to a multisig wallet, one requiring multiple approvals to move funds, Chainalysis said.

Just over an hour after the drain, the attacker began selling the BONK it had bought for the attack, offloading about $5.3 million worth. It kept the treasury tokens but not the stake it had assembled to seize them.

BONK DAO has since confirmed the attack, describing it as a malicious governance proposal that drained an estimated $20 million from its treasury. It said it had identified the exchange wallets used to buy tokens ahead of the vote and was working with exchanges, bridges and the Solana Foundation to manage the fallout.

The attack has revived an old argument about whether this kind of thing is theft or a fair use of the rules.

Because every step was a valid transaction, some onchain observers argued the attacker simply exploited a weak governance design rather than breaking in. BONK DAO and the analytics firms treat it as an attack, and the involvement of law enforcement reflects that.

Either way, the mechanism is the lesson. A treasury that can be drained by whoever assembles a temporary voting majority is only as secure as the cost of buying that majority, and here that cost was far less than the prize.
BONK prices are down 7% in the past 24 hours, data shows, in the aftermath of the attack.

Zcash’s Tachyon upgrade aims to scale shielded payments, improve quantum readiness, and test whether its funding, security, and governance can hold.