BonkDAO Treasury Drained for $20M Using Its Own Voting System

Published by James Harris on

BonkDAO Treasury Drained for $20M Using Its Own Voting System — DeFi

What You Need to Know

  • Attacker stole $20 million in BONK tokens by spending $4 million to acquire voting power through BonkDAO’s governance system.
  • Token-weighted governance allows attackers to accumulate enough tokens, pass malicious proposals, and extract treasury funds through concentrated voting power.
  • BONK token dropped over 9% as stolen supply moved toward exchanges; Upbit froze deposits while BonkDAO coordinated with exchanges to freeze funds.
  • Similar governance exploits have targeted other Solana and cross-chain protocols using flash loans to borrow majority voting power in single transactions.

Someone drained BonkDAO’s treasury using the protocol’s own governance system, walking away with an estimated $20 million in BONK tokens after spending roughly $4 million to buy enough voting power to make it happen. The token dropped more than 9% as the stolen supply began moving toward exchanges.

The mechanics here are straightforward and not new. Token-weighted governance, where voting power is proportional to holdings, has always had a known attack surface: accumulate enough tokens, pass a malicious proposal, extract the treasury. The Solana-based Realms platform that BonkDAO uses for voting did exactly what it was designed to do. The attacker acquired BONK through exchange wallets, submitted a proposal, and used concentrated voting power to approve a treasury transfer. Blockchain investigators estimate the attacker spent roughly $4 million to net $20 million, a 5x return before any selling. Similar governance exploits have hit other Solana and cross-chain protocols between 2025 and 2026, sometimes using flash loans to borrow majority votes within a single transaction, though whether this attacker borrowed or accumulated patiently has not been confirmed.

A $4 million entry cost to steal $20 million is not a vulnerability, it is a business model.

The downstream response shows how fragmented the damage control still is. South Korea’s Upbit froze BONK deposits and withdrawals after the stolen tokens began heading toward exchanges. BonkDAO says it has identified the exchange wallets used in the accumulation phase and is coordinating with exchanges, bridges, and the Solana Foundation to freeze the funds before they move beyond reach. That kind of post-incident coalition takes time, and the attacker has a head start. For anyone packaging governance tokens into institutional products, this is a direct argument regulators will use: treasury controls in DAOs are structurally exploitable, and there is no recourse mechanism that operates faster than an attacker’s exit.

BonkDAO has not offered any timeline for recovering the funds, which is the honest answer given that on-chain freezing depends entirely on exchange cooperation and how quickly the attacker converts. The Solana ecosystem has a particular exposure here because several of its governance-heavy protocols use similar token-weighted systems on Realms. Whether this triggers any coordinated push to redesign voting thresholds or add time-locks to treasury proposals is the practical question. The project losing $20 million is the headline. The governance architecture that made it trivially possible is the actual problem.

Categories: News

James Harris

Hi, I’m James Harris, dad of three, professional coffee maker (not drinker, as I make it for my wife), and the unlucky guy who once lost $48 in a crypto scam. Yep, forty-eight bucks. Not life-changing money, but just enough to sting my pride. That little scam lit a fire in me: if I could get fooled, so could anyone. And that’s how DodgeTheScam.com was born. Now I spend my time turning my mistake into your advantage. I dig into scams, fake sites, and shady schemes so you don’t have to learn the hard way. I keep things simple, honest, and sometimes funny, because staying safe online doesn’t have to feel like homework. My mission? To help you dodge scams, save your hard-earned money, and maybe give you a laugh or two along the way.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Exit mobile version