A "legal" robbery? Attackers emptied BonkDAO's treasury by purchasing tickets.

CN
链捕手
3 hours ago

Author: Chloe, ChainCatcher

In the early morning of July 6, 2026, the community governance organization of the Solana ecosystem meme coin BONK, BonkDAO, experienced a governance attack. The attacker emptied approximately 4.4 trillion BONK tokens from the treasury through a “legitimate” governance proposal. The most striking aspect of the entire incident was not any vulnerability in the smart contract, but that the attacker exchanged assets worth around $20 million for about $4.4 million spent on “buying votes,” and throughout the process, every step from buying tokens, voting, to funding was a technically valid transaction.

BonkDAO suffers governance attack, treasury emptied of approximately $20 million

The official X account of BonkDAO confirmed on July 6 that it had suffered an attack, describing it as a “malicious governance proposal,” estimating that approximately $20 million worth of BONK was transferred from the treasury. As the stolen tokens flowed immediately to exchanges, selling pressure appeared in the market, causing the BONK price to drop by about 7% to 10% within 24 hours, down to about $0.0000043, approximately 93% lower than its historical high of $0.000058.

The transferred tokens amounted to 4.4 trillion BONK. Due to slight variations in valuation over time and from different sources, descriptions of the amount range between approximately $19.3 million and $21.2 million, generally summarized as “approximately $20 million.”

BONK is a well-known dog meme coin launched on Solana in December 2022, famous for its large-scale community airdrop, and has long been regarded as one of the representative meme coins in the market, even included in some ETFs.

A 'legitimate' robbery? The attacker emptied the BonkDAO treasury by buying votes

Attack Mechanism: Proposal #76 “Sowellian BonkDAO” hides malicious instructions

The core tool of the attack was a governance proposal titled “BIP #76 - Sowellian BonkDAO.” On the surface, it advocated for the introduction of “Sowellian governance,” replacement of committee members and directors, reconstruction, monetization of holdings, stop loss, and a series of reform themes. From the text, it seemed more like a passionate declaration than a governance motion, even stating a desire to “rebuild from the ashes, monetize holdings, and stop the bleeding,” while promising all participants who voted “yes” would be eligible to receive BONK token rewards.

The real issue lay in the actual execution instructions hidden beneath the proposal, which included a single transfer of 4.43 trillion BONK directly into the attacker's wallet. This was the only action in the entire proposal that had any substantive effect and was the true purpose set from the very beginning; according to BonkDAO's explanation, this instruction to empty the treasury was embedded in the second execution step rather than being placed prominently, further lowering the chance of being spotted at a glance. In other words, this was a proposal cloaked in the guise of governance reform, but was actually a commandeering funds instruction.

Once the attacker used the purchased votes to pass the proposal, this instruction would be automatically executed on-chain without anyone needing to confirm it again. As a result, the funds directly flowed into the attacker's wallet ending in “JHvQ” around 4 AM Eastern Time on July 6; as for the promised token rewards to the supporters, they were, of course, not distributed.

A 'legitimate' robbery? The attacker emptied the BonkDAO treasury by buying votes

The attacker “bought votes” beforehand, circumventing community monitoring

According to on-chain analysis from Chainalysis, Lookonchain, and others, the entire attack was a premeditated action lasting about a week:

As early as June 30, an anonymous wallet submitted this proposal on the governance platform, which needed to achieve a minimum threshold of 1% of the token supply, approximately 879.95 billion BONK votes in favor.

Thus, from July 4 to July 5, another wallet purchased approximately 882.38 billion BONK through the exchanges Bybit and Binance, spending around $4.4 million, just enough to accumulate the votes to surpass the threshold; according to Lookonchain, the attacker may have also borrowed more tokens through DeFi lending platforms. This series of actions was carried out through exchange wallets in a dispersed manner, allowing the attacker to silently accumulate enough holdings to influence the voting outcome with almost no awareness from the community.

A 'legitimate' robbery? The attacker emptied the BonkDAO treasury by buying votes

The final proposal passed by a very narrow margin: 882.38 billion votes in favor, against the threshold of 879.95 billion, almost exactly what the attacker had accumulated in just a few days. What’s more noteworthy is the voting structure itself: only 7 wallets voted, while over 18,000 members participated not at all, with a voting rate of only about 2.9%, but a “yes” ratio as high as 99.9%. In other words, this so-called “community consensus” was essentially just an agreement reached by the attacker with themselves.

After emptying the treasury, the attacker disposed of the tokens in two completely different ways.

For the approximately $20 million BONK stolen from the treasury, the majority of it was not immediately liquidated. According to Chainalysis, about 9 hours after the heist, only about $188,000 was sent to exchanges (likely for liquidation), while the remaining approximately $19 million was transferred to a “multi-signature wallet” requiring multiple approvals for safekeeping; during this period, the funds were also briefly transferred to another address ending in “eh42.”

As for the batch of BONK initially purchased for buying votes, the attacker was eager to cash out: about an hour after emptying the treasury, they began to sell off these tokens, selling approximately $5.3 million. In other words, they retained the stolen treasury tokens but quickly disposed of the holdings used to seize the treasury.

Exchanges and the authorities promptly reacted. Upbit and Kraken suspended the deposit and withdrawal of BONK as per security event protocols; BonkDAO officials said they had informed law enforcement and had locked down the exchange wallets used to buy tokens before the attacker's voting, and they are collaborating with exchanges, cross-chain bridges, and the Solana Foundation to recover funds and clarify responsibility.

Conclusion

This incident has reignited an old debate. As every step—buying tokens, voting, funding—was technically a legitimate and valid transaction, some on-chain observers argue that the attacker merely exploited weak governance design, rather than “breaking in”; however, BonkDAO and several analytical agencies still clearly characterize it as an attack, and the involvement of law enforcement reflects this stance.

On-chain governance was once hailed as the future of community autonomy, symbolizing an ideal where token holders, rather than corporate executives, decide the allocation of funds. However, the BonkDAO incident once again highlights core issues within the cryptocurrency industry: handing the treasury keys to an open vote where “anyone can spend money to participate,” without adequate oversight mechanisms—such as substantive reviews of proposal content, higher approval thresholds, or time locks and manual review before funding—could turn even the most legitimate governance ideals into the most effective tools for attackers.

Disclaimer: This article represents only the personal views of the author and does not represent the position and views of this platform. This article is for information sharing only and does not constitute any investment advice to anyone. Any disputes between users and authors are unrelated to this platform. If the articles or images on the webpage involve infringement, please provide relevant proof of rights and identity documents and send an email to support@aicoin.com. The relevant staff of this platform will conduct an investigation.