Login
Sign Up
Woofun AI reports that the BonkDAO governance structure on Solana was compromised in a sophisticated attack orchestrated by an anonymous entity. Rather than exploiting a smart contract vulnerability, the attacker leveraged a legitimate voting mechanism to drain approximately $20 million from the treasury, having spent $4.4 million to purchase the necessary voting power. This incident highlights a severe disconnect between technical validity and economic security in decentralized governance models.
The attack unfolded in the early hours of July 6, 2026, when the BonkDAO treasury was emptied of roughly 4.4 trillion BONK tokens. The financial impact was immediate and severe, with the stolen assets valued between $19.3 million and $21.2 million depending on the timing of valuation. The market reaction was swift; within 24 hours, the price of BONK plummeted by 7% to 10%, settling around $0.0000043. This represented a staggering 93% decline from its historical high of $0.000058, underscoring the volatility induced by such large-scale treasury drains.
BonkDAO's official X account confirmed the incident on July 6, labeling it a "malicious governance proposal." The organization estimated that approximately $20 million worth of BONK had been transferred out of the treasury. BONK, launched on Solana in December 2022, is a prominent meme coin known for its large-scale community airdrop and inclusion in some ETFs. The sheer scale of the theft, ranging from $19.3 million to $21.2 million, shocked the community, as the tokens were quickly moved to exchanges, exacerbating selling pressure.
The core instrument of the attack was proposal BIP 76, titled "Sowellian BonkDAO." On the surface, the proposal advocated for "Sowellian governance," including the replacement of committee members and directors, restructuring, and the monetization of holdings. It used emotive language, promising to "rebuild from the ashes" and "stop the bleeding," while offering token rewards to those who voted "yes." This narrative was designed to mimic a passionate reform movement, masking the true intent behind the governance motion.
However, the malicious intent was hidden in the execution instructions. Buried in the second execution step was a command to transfer 4.43 trillion BONK directly to the attacker's wallet. This was the only substantive action in the proposal, effectively emptying the treasury. According to BonkDAO, this instruction was deliberately placed in a less conspicuous position to avoid detection. Once passed, the instruction executed automatically on-chain, transferring the funds to a wallet ending in "JHvQ" at 4 AM Eastern Time on July 6, without any further confirmation.
Pre-attack preparation began on June 30, when an anonymous wallet submitted the proposal, which required a minimum of 1% of the token supply, or approximately 879.95 billion BONK votes, to pass. To secure this threshold, the attacker purchased approximately 882.38 billion BONK on July 4 and July 5 through Bybit and Binance, spending about $4.4 million. Lookonchain noted that the attacker may have also borrowed additional tokens from DeFi lending platforms to ensure they had enough voting power to surpass the threshold quietly.
Woofun AI data shows that the voting mechanics revealed a stark lack of community participation. Only 7 wallets voted, while over 18,000 members did not participate, resulting in a voting rate of just 2.9%. Despite this low turnout, the "yes" proportion was 99.9%, with 882.38 billion votes in favor against the 879.95 billion threshold. This narrow margin, almost exactly equal to the holdings accumulated by the attacker, demonstrated that the "community consensus" was essentially a self-vote by the attacker, bypassing any genuine community oversight.
Post-attack token movements were strategic. For the stolen $20 million worth of BONK, the attacker did not immediately liquidate the majority. About 9 hours after the heist, only $188,000 was sent to exchanges, possibly for initial liquidation, while the remaining $19 million was transferred to a multi-signature wallet for safekeeping. During this period, funds were also temporarily moved to an address ending in "eh42," indicating an effort to obscure the trail and secure the bulk of the stolen assets.
In contrast, the attacker was eager to offload the BONK purchased to buy votes. About one hour after emptying the treasury, they began selling this batch, liquidating approximately $5.3 million. This quick disposal of the voting tokens minimized their exposure to market volatility while retaining the stolen treasury assets. The divergent handling of the two batches of tokens highlighted the attacker's focus on maximizing profit from the heist while minimizing risk from the purchased voting power.
Exchange responses were immediate. Upbit and Kraken suspended BONK deposits and withdrawals following security incident protocols. BonkDAO officials stated they had reported the incident to law enforcement and locked the exchange wallets used by the attacker to buy tokens. They are cooperating with exchanges, cross-chain bridges, and the Solana Foundation to recover funds and clarify responsibility, emphasizing the severity of the breach and the need for coordinated action.
This incident reignites the debate over on-chain governance. While every step—buying tokens, voting, allocating funds—was technically a legitimate transaction, the outcome was a clear exploitation of weak governance design. BonkDAO and several analytical institutions classify it as an attack, reflecting the stance that technical validity does not equate to security. The involvement of law enforcement underscores the seriousness of the breach and the potential legal ramifications for such actions.
On-chain governance was once hailed as the future of community autonomy, symbolizing the ideal of having token holders, rather than corporate executives, decide the direction of funds.
However, the BonkDAO incident highlights a core issue: handing the keys to the treasury over to an open vote where "anyone can spend money to participate," without sufficient oversight mechanisms—such as substantive review of proposal content, higher passing thresholds, or time locks and manual reviews before allocations—can turn even the most legitimate governance ideals into tools that attackers can exploit. This marks a critical failure in the current model of decentralized governance.