A single attacker drained BonkDAO's entire treasury of roughly $20 million by spending $4.4 million on BONK tokens to hijack a governance vote in late June 2026. The proposal, which transferred 4.426 billion BONK tokens to the attacker's wallet, passed with only seven votes out of over 18,000 members, exposing a critical flaw in token-weighted voting systems.
How a $4.4M bet turned into a $20M payday
The attacker accumulated BONK tokens on exchanges like Binance and Bybit, amassing enough voting power to command more than 99% of the vote on any proposal. BonkDAO's governance on the Realms platform required only a 1% quorum to pass proposals, meaning if just 1% of eligible voters approved, the proposal executed automatically with no human review or time delay.
On June 30, 2026, the attacker submitted BIP #76, which authorized the transfer of the entire treasury to their wallet. Seven wallets voted in favor, and on July 6, the proposal executed automatically. No smart contract exploit or flash loan was used—the attacker simply exploited the governance rules as designed.
The governance problem hiding in plain sight
This incident is alarming because it wasn't a hack in the traditional sense. Token-weighted voting has always had a theoretical vulnerability where influence scales with token holdings, and voter apathy made the attack cheap. With 99.96% of members not participating, the cost of capturing governance dropped dramatically.
BonkDAO's governance had direct, unrestricted access to the treasury with no execution delays or additional checks. The 1% quorum threshold, intended to prevent governance gridlock, instead became the attack vector itself.
Market fallout and the scramble to respond
BONK's price dropped approximately 7-8% immediately after news of the drain. BonkDAO stated it is working with exchanges, bridges, and law enforcement to track and potentially freeze the stolen funds.
For investors, this introduces a new risk metric: the cost to capture governance relative to the treasury size. In BonkDAO's case, $4.4 million unlocked $20 million in assets—a vulnerability no smart contract audit would catch. Potential fixes include time-locked execution, higher quorum requirements, multisig controls, or quadratic voting, all of which would have prevented a seven-wallet vote from draining the treasury.