BTC $63,954.58 +0.89%
ETH $1,800.97 +0.82%
BNB $584.79 +0.20%
XRP $1.12 -1.41%
SOL $82.24 +0.59%
TRX $0.3318 +1.30%
DOGE $0.0753 -1.48%
ADA $0.1778 -3.50%
BCH $242.86 +1.24%
LINK $8.01 -0.12%
HYPE $72.16 +1.81%
AAVE $92.45 -4.41%
SUI $0.7445 +0.11%
XLM $0.1930 -3.64%
ZEC $508.89 +12.45%
BTC $63,954.58 +0.89%
ETH $1,800.97 +0.82%
BNB $584.79 +0.20%
XRP $1.12 -1.41%
SOL $82.24 +0.59%
TRX $0.3318 +1.30%
DOGE $0.0753 -1.48%
ADA $0.1778 -3.50%
BCH $242.86 +1.24%
LINK $8.01 -0.12%
HYPE $72.16 +1.81%
AAVE $92.45 -4.41%
SUI $0.7445 +0.11%
XLM $0.1930 -3.64%
ZEC $508.89 +12.45%

A "legal" robbery? Attackers emptied the BonkDAO treasury by buying tickets

Core Viewpoint
Summary: Handing over the keys to the vault to a public vote where "anyone can spend money to participate," without sufficient oversight mechanisms, even the most legitimate governance ideals may turn into the most convenient tools for attackers.
Chloe
2026-07-07 21:06:15
Collection
Handing over the keys to the vault to a public vote where "anyone can spend money to participate," without sufficient oversight mechanisms, even the most legitimate governance ideals may turn into the most convenient tools for attackers.

Author: Chloe, ChainCatcher

In the early hours of July 6, 2026, the community governance organization BonkDAO of the Solana ecosystem meme coin BONK suffered a governance attack. The attacker emptied approximately 4.4 trillion BONK tokens from the treasury through a "legitimately" passed governance proposal. The most striking aspect of the entire incident was not any smart contract vulnerability, but rather that the attacker spent about $4.4 million to "buy votes" and exchanged it for assets worth approximately $20 million. Throughout the process, every step of buying tokens, voting, and allocating funds was technically a completely valid transaction.

BonkDAO Suffers Governance Attack, Treasury Emptied of Approximately $20 Million

BonkDAO's official X account confirmed the attack on July 6, stating that it was a "malicious governance proposal," estimating that about $20 million worth of BONK was transferred from the treasury. As the stolen tokens quickly flowed to exchanges, market selling pressure emerged, causing the price of BONK to drop by about 7% to 10% within 24 hours, falling to around $0.0000043, approximately 93% lower than its historical high of $0.000058.

The tokens that were transferred amounted to 4.4 trillion BONK. Due to varying valuations over time and from different sources, descriptions of the amount range from about $19.3 million to $21.2 million, generally summarized as "approximately $20 million."

BONK is a well-known dog meme coin launched on Solana in December 2022, famous for its large-scale community airdrop, and has long been regarded as one of the representative meme coins in the market, even included in some ETFs.

A

Attack Mechanism: Proposal #76 "Sowellian BonkDAO" Hides Malicious Instructions

The core tool of the attack was a governance proposal titled "BIP #76 - Sowellian BonkDAO." On the surface, it advocated for the introduction of "Sowellian governance," replacement of committee members and directors, restructuring, monetization of holdings, stop-loss measures, and other reform themes. In terms of wording, it resembled a passionate declaration more than a governance motion, even stating the intention to "rebuild from the ashes, monetize holdings, and stop the bleeding," and promised that all participants who voted "yes" would be eligible to receive BONK token rewards.

The real issue lay in the actual execution instructions hidden beneath the proposal, which included a transfer that directly moved 4.43 trillion BONK into the attacker's wallet. This was the only action in the entire proposal that had substantive effect and was the true purpose set from the beginning; according to BonkDAO's explanation, this instruction to empty the treasury was buried in the second execution step, rather than placed in the most conspicuous position, further reducing the likelihood of being easily spotted. In other words, this was a proposal for misappropriating funds, merely cloaked in the guise of governance reform.

Once the attacker used the purchased votes to pass the proposal, this instruction would be automatically executed on-chain without any further confirmation from anyone. Thus, the funds flowed directly into the attacker's wallet ending in "JHvQ" around 4 AM Eastern Time on July 6; as for the promised token rewards to the supporters, they would, of course, not be distributed.

A

Attacker "Buys Votes" in Advance, Bypasses Community Monitoring

According to on-chain analyses from Chainalysis, Lookonchain, and others, the entire attack was a premeditated operation lasting about a week:

As early as June 30, an anonymous wallet submitted this proposal on the governance platform, which required a minimum of 1% of the token supply to pass, approximately 879.95 billion BONK votes in favor.

Thus, on July 4 and 5, another wallet purchased approximately 882.38 billion BONK through the exchanges Bybit and Binance, spending about $4.4 million, just enough to accumulate the votes needed to surpass the threshold; according to Lookonchain, the attacker may have also borrowed more tokens through DeFi lending platforms. This series of actions was carried out through exchange wallets in a dispersed manner, allowing the attacker to quietly accumulate enough holdings to sway the voting outcome without the community noticing.

A

The final proposal passed by a very narrow margin: 882.38 billion votes in favor against the threshold of 879.95 billion, almost exactly equal to the holdings accumulated by the attacker over several days. What is even more noteworthy is the voting structure itself: only 7 wallets voted, while over 18,000 members did not participate at all, resulting in a voting rate of only about 2.9%, yet the "yes" proportion was as high as 99.9%. In other words, this so-called "community consensus" was essentially just an agreement reached by the attacker with themselves.

After emptying the treasury, the attacker took two completely different approaches to the tokens in their possession.

For the approximately $20 million worth of BONK stolen from the treasury, the attacker did not immediately liquidate the majority. According to Chainalysis, about 9 hours after the heist, only about $188,000 was sent to exchanges (possibly for liquidation), while the remaining approximately $19 million was transferred to a "multi-signature wallet" requiring multiple approvals for safekeeping; during this time, the funds were also temporarily moved to another address ending in "eh42."

For the batch of BONK they had purchased to buy votes, the attacker was eager to offload: about an hour after emptying the treasury, they began selling this batch of tokens, liquidating approximately $5.3 million. In other words, they kept the stolen treasury tokens but quickly disposed of the holdings used to seize the treasury.

Exchanges and officials responded immediately. Upbit and Kraken suspended the deposit and withdrawal of BONK following security incident protocols; BonkDAO officials stated that they had reported the incident to law enforcement and locked the exchange wallets used by the attacker to buy tokens before voting, and were cooperating with exchanges, cross-chain bridges, and the Solana Foundation to recover funds and clarify responsibility.

Conclusion

This incident has reignited an old debate. Since every step—buying tokens, voting, allocating funds—was technically a legitimate and valid transaction, some on-chain observers believe that the attacker merely exploited weak governance design rather than "breaking in"; however, BonkDAO and several analytical institutions still clearly classify it as an attack, and the involvement of law enforcement reflects this stance.

On-chain governance was once hailed as the future of community autonomy, symbolizing the ideal of having token holders, rather than corporate executives, decide the direction of funds. However, the BonkDAO incident once again highlights a core issue in the crypto industry: handing the keys to the treasury over to an open vote where "anyone can spend money to participate," without sufficient oversight mechanisms—such as substantive review of proposal content, higher passing thresholds, or time locks and manual reviews before allocations—can turn even the most legitimate governance ideals into tools that attackers can exploit.

Join ChainCatcher Official
Telegram Feed: @chaincatcher
X (Twitter): @ChainCatcher_
warnning Risk warning
app_icon
ChainCatcher Building the Web3 world with innovations.