A $20 million treasury drain with no hack
On July 6, an attacker drained roughly $20 million worth of BONK tokens from BonkDAO’s treasury through a perfectly valid governance proposal. No smart contract was exploited, no private key was stolen, and no phishing attack occurred. Instead, the attacker spent about $4.4 million to acquire enough BONK voting power, passed a proposal that transferred the bulk of the treasury to a wallet they controlled, and the DAO’s own rules executed the transfer automatically.
The incident has become a stark case study in governance capture. With only seven wallets participating out of over 18,000 eligible members, turnout was a mere 2.9%. The attacker’s winning margin was razor-thin: 882.38 billion BONK voted in favor against a quorum threshold of 879.95 billion. The proposal, titled BIP #76, had been live for six days in plain sight, dressed as a governance renewal plan, while the attacker methodically accumulated tokens through exchange wallets.
Three missing safeguards
The attack succeeded because BonkDAO lacked three standard controls. First, there was no timelock — a mandatory delay between proposal passage and execution that would have given the community time to react. Second, there was no multisig or council veto to freeze anomalous transactions. Third, the quorum system allowed roughly 1% of supply to constitute a passing majority against extremely low turnout.
On-chain researchers, including SlowMist’s Yu Xian and analyst Yu Jin, reconstructed the attack. The attacker’s arithmetic was public: quorum multiplied by market price cost about $4 million to satisfy, against a treasury worth five times that. The deeper failure is that the treasury’s size bore no relationship to the cost of controlling it. BonkDAO held roughly 15% of all circulating BONK, governed by a mechanism whose capture price floated with token price and holder apathy.
The vote-buying economy
The attack did not break the governance system — it bought it. Vote buying in DAOs is not a fringe exploit but an industry with infrastructure. Bribe markets and delegation systems let holders rent out governance power without selling tokens. The line between that accepted economy and what happened to BonkDAO is intent, not mechanism.
Security researchers have long urged DAOs to compute their "cost of corruption": the expense of acquiring decisive voting power versus the value extractable by wielding it. For a healthy system, the first number should exceed the second by a wide margin. BonkDAO’s ratio of roughly $4.4 million to $20 million was an arbitrage opportunity with a six-day settlement period. Any DAO that has not computed its own ratio should assume an attacker already has.
Tooling and aftermath
BonkDAO ran on Realms, Solana’s standard DAO tooling, which executes passed proposals automatically. No human signed off, no council reviewed the transfer. The treasury moved to an address traced to a Bybit-funded wallet, and portions began flowing to exchanges within hours. Exchanges have since frozen deposits, and law enforcement has been notified.
The incident renews calls for stronger safeguards across the industry. Even a 48-hour timelock would have given the community time to respond. The attack also highlights a broader trend: governance participation has decayed to low single digits as token holders rationally conclude that voting is unpaid labor with diluted influence. Every percentage point of apathy directly lowers the capture price. For hundreds of DAOs, that price is computable right now.