BonkDAO's treasury was drained of about $20 million in BONK tokens on Monday after an attacker spent roughly $4.4 million assembling the exact stake needed to force a governance proposal through a vote nobody else showed up for. Every step was a valid onchain transaction.
BonkDAO's treasury was drained of about $20 million in BONK tokens on Monday after an attacker spent roughly $4.4 million buying enough of the memecoin's supply to force a governance proposal through a vote nobody else showed up for. The proposal moved 4.43 trillion BONK, the entire treasury balance, to a wallet the attacker controlled. Every step was a valid onchain transaction.
The setup began on June 30, when an anonymous wallet submitted proposal "BIP #76 — Sowellian BonkDAO" through Solana's Realms governance platform. To clear quorum, it needed yes votes equal to one per cent of BONK's supply. Over July 4 and 5, a separate wallet spent about $4.4 million on Binance and Bybit, and according to Lookonchain borrowed more through DeFi lending, assembling exactly that stake. On July 6 it cast every token in favour. The proposal passed with 882.38 billion BONK for and 879.95 billion required, a margin measured in fractions of a per cent.
Seven wallets voted yes. More than 18,000 BONK holders did not vote at all, a turnout of 2.9 per cent. The 99.9 per cent yes result was, in effect, a single actor agreeing with itself. Chainalysis said 4.43 trillion BONK, worth around $20 million, moved out of the treasury within minutes of execution. Roughly $188,000 hit a centralised exchange nine hours later, presumably to convert to something more liquid than a memecoin the market was already selling. The remaining $19 million sits in a multisig wallet requiring multiple approvals to move.
BonkDAO confirmed the drain in a statement on Monday.
BONK's price fell about 7 per cent within 24 hours; the token was already trading soft against a broader Solana meme-coin cooldown that has been running since the meme-coin speculation faded in Q1. The attacker began offloading its own pre-attack BONK position an hour after the drain, selling about $5.3 million worth. It kept the treasury tokens.
The proposal's written pitch reads less like a governance motion and more like a taunt. It promised to "rebuild from the ashes, monetize holdings, stop the bleeding," and included a line that "all YES voters are eligible to receive tokens" — the classic incentive to keep quorum-hunters compliant. Beneath the rhetoric sat the only line that mattered: transfer 4.43 trillion BONK to the attacker's wallet.
This is not a smart-contract exploit. There was no bug to patch. What the attacker did was buy the vote — publicly, cheaply, and within the rules the DAO had written for itself. The mechanism that took the money is exactly the mechanism BonkDAO was designed around: token-weighted voting with a one per cent quorum and no timelock long enough to matter. In a system where turnout hovers below three per cent, the only person who has to show up is the one who wants the money.
The design failure runs deeper than any specific parameter. BonkDAO's treasury sat behind a rule that said whoever assembles a temporary majority controls the money. The one per cent quorum was cheap because BONK's supply is enormous and its holders are dispersed. A five per cent quorum would have raised the attack price to something closer to $22 million — probably above the payoff, though a rally in BONK could change the maths quickly. A time-delayed execution window, of the sort Compound and MakerDAO have used for years, would have given legitimate holders a chance to notice the transfer and vote it down. BonkDAO had neither.
The debate over whether this is a hack or a legitimate use of published rules is already doing predictable work on Crypto Twitter. Some observers argue that if the code executed as written, it is not theft. BonkDAO, working with the Solana Foundation and Chainalysis to trace the exchange wallets involved, calls it a malicious attack, and law enforcement is being told the same. Both framings can be true at once. The rules were followed. Money moved to someone who did not earn it. The system was doing what it was told, and what it was told to do turned out to be a bad idea.
There is nothing new in the pattern. The Compound governance attack played out the same way in miniature; Beanstalk was drained through a flash-loan-funded vote in 2022; half a dozen forgotten protocols have provided the template since. What separates BonkDAO is scale — a community large enough to see the vote and small enough to not turn up. Eighteen thousand token holders had a week to notice. Seven bothered.