The decentralized organization behind the BONK meme coin on Solana lost roughly $20 million after a vote that looked, on the surface, like an ordinary community proposal. No smart contract was hacked. An attacker simply bought enough tokens to push through the decision alone and pull the funds out without any outside help.
What actually happened?
The story began on June 30, when an anonymous wallet submitted a proposal titled "BIP #76 - Sowellian BonkDAO". On paper, it promised to "rebuild the project from the ashes" and stop the token's falling market cap. Buried inside was the one line that mattered: a transfer of 4.43 trillion BONK to the proposal author's wallet. BONK DAO manages the project's shared treasury, which funds development, marketing and token buybacks, so that treasury was the actual target.
On July 4 and 5, a separate wallet started buying BONK on the Binance and Bybit exchanges, spending about $4.4 million. Part of that sum, according to the analytics firm Lookonchain, came from loans taken out on DeFi lending platforms. The goal was to gather exactly enough tokens to clear quorum, no more and no less.
How does the voting system the attacker used actually work?
A few years ago, onchain governance was pitched as the future of decentralized communities. Token holders vote on proposals instead of a board making decisions behind closed doors. BONK DAO works exactly that way. Any holder with enough tokens can submit a proposal, and once a vote clears quorum, the decision executes automatically, with no human in the loop.
Quorum required just 1 percent of BONK's total supply. The vote closed on July 6. Only seven wallets took part, out of more than 18,000 DAO members. Quorum was cleared by the narrowest of margins, just a few billion tokens above the minimum required.
A low quorum is common for large DAOs. When thousands of token holders are scattered across exchanges and wallets, gathering an active majority is nearly impossible, so projects deliberately keep the bar low just to get decisions passed at all. That is the exact tradeoff the attacker exploited. The threshold was low not out of carelessness by the developers, but because it reflects standard industry practice.
The proposal text read more like a promotional post than a legal governance document. Its author promised extra tokens to anyone who voted yes. The bait worked. A handful of small BONK holders added their votes to the attacker's main stake, without realizing they were backing a transfer of the treasury to someone else's wallet.
- Vote bait: the promise of bonus tokens pulled in small BONK holders to support the proposal
- The vote passed with 99.9 percent support, since one player was essentially agreeing with itself
- Each individual step (buying, voting, payout) was a routine onchain transaction
- That legality at every step is exactly what makes the incident hard to classify legally
Where did the stolen tokens go?
Right after the vote, roughly $20 million in BONK moved from the treasury to the attacker's wallet. According to the analytics firm Chainalysis, about nine hours later $188,000 of that sum was sent to an exchange, likely to cash out. The bulk of it, close to $19 million, went to a multisig wallet that requires approval from several keys before any funds can move. That step typically slows down any attempt to freeze the funds, since a multisig transfer needs several separate keys to agree at once rather than a single person acting alone.
Even before that, less than an hour after the drain, the attacker began selling the very BONK bought to carry out the attack, offloading about $5.3 million worth. The stake assembled to win the vote was sold off, while the treasury tokens themselves were kept, with the whole operation costing the attacker almost nothing net.
Theft, or just flawed rules?
BONK DAO confirmed the incident and called it a malicious governance proposal. The team said it had already identified the exchange wallets the attacker used to buy tokens and was working with exchanges, bridges and the Solana Foundation on next steps.
A debate broke out immediately in the community. Can something built entirely out of legal transactions be called theft? Some onchain observers argue the attacker simply exploited a weak voting design rather than breaking anything by force. BONK DAO and the analytics firms treat it as an attack, which is why law enforcement is now involved.
BONK's price fell about 7 percent within 24 hours of the attack. The Solana network the token runs on showed no major swings of its own. Investors are clearly treating this as a single project's problem rather than a sign of trouble across the whole platform. According to the security firm CertiK, crypto hacks fell 47 percent in the first half of the year, yet governance attacks on DAOs remain a rare risk that a standard code audit simply does not catch.
The lesson for other DAOs
The takeaway here is simple. A treasury governed by token voting is only as secure as the cost of temporarily buying a voting majority. In BONK's case, that cost turned out to be five times cheaper than the payout.
For other DAOs, this is a reason to revisit quorum settings and how fast approved decisions execute. The attack worked because of a combination of low turnout and instant, automatic execution of the transfer. Without a delay or an extra check, decisions like this are hard to stop even hours before they go through, and dozens of other projects with similar governance models face the same exposure.
Some DAOs have already added safeguards against this kind of scenario: a delay between a vote passing and its execution, caps on how much a single treasury transfer can move, and a separate body with veto power over suspicious proposals. None of those protections were in place at BONK DAO when the attack happened. The open question is how many other projects with multimillion-dollar treasuries are still relying on a bare vote with no extra checks at all.




Comments
Your email address will not be published. Required fields are marked *