Login
Sign Up
Woofun AI reports that a sophisticated governance attack on BonkDAO, a prominent project within the SOL ecosystem, resulted in the unauthorized transfer of approximately $20 million in treasury assets. Unlike traditional cyberattacks involving code exploits or brute-force hacking, this incident, detailed by KarenZ of Foresight News, represents a paradoxical form of "legal theft" where the attacker strictly adhered to the protocol's voting rules to drain the funds. The event underscores a critical vulnerability in decentralized autonomous organizations (DAOs) where financial power can override collective security without triggering any technical alarms.
The incident came to light in the early hours of July 7, 2026, Beijing time, when BONK’s official account on X disclosed that a malicious governance proposal had successfully executed, resulting in the loss of nearly $20 million worth of BONK tokens from the treasury. The official statement confirmed that the team had identified the specific exchange wallets responsible for accumulating the voting power prior to the proposal's submission. In response, the project team initiated immediate cooperation with major exchanges, cross-chain bridges, and the Solana Foundation to mitigate the fallout and address the systemic failure that allowed such a maneuver to succeed.
At the center of this controversy was a proposal titled BIP 76 – Sowellian BonkDAO, which was submitted to the Realms governance platform on June 30. The proposal advocated for the implementation of a "Sowellian" governance model, a framework that ostensibly aimed to restructure the DAO by replacing existing members and committees.
However, the underlying intent was far more predatory: the proposal called for the liquidation of holdings to stop losses and the subsequent distribution of all treasury assets—specifically over 4.4 trillion tokens valued at $20 million—exclusively to the addresses that voted in favor of the measure.
The irony of the situation lies in the naming convention of the proposal itself. The term 'Sowellian' refers to the prediction market system integrated into Solana’s governance platform, Realms, which serves as the voting infrastructure for BonkDAO. Originally designed with noble intentions, this mechanism utilizes game theory rules to incentivize participants to vote with real economic stakes, thereby "rewarding good decisions and punishing bad decisions." By naming the proposal "Sowellian BonkDAO," the attacker deliberately co-opted the platform’s most celebrated feature, using its own "game theory rules" to justify the outright robbery of the DAO’s treasury under the guise of legitimate governance participation.
The attacker’s strategy began with a phase of secret accumulation, leveraging capital from major centralized exchanges. Over several days leading up to the vote, the attacker transferred BONK tokens from Binance and Bybit onto the on-chain network. The goal was to meet the minimum voting requirement, which stood at just 1% of the total token supply. This accumulation totaled 882.285 billion tokens, representing an investment of approximately $4.4 million. This initial outlay was calculated precisely to ensure eligibility for voting while minimizing the upfront cost relative to the potential payout.
Woofun AI data shows that once the threshold was met, the attacker moved to the second phase: voting dominance. Due to the historically low participation rates in BonkDAO’s regular governance cycles, only seven addresses cast votes during this period. The attacker’s address, holding 882.285 billion BONK tokens, secured a staggering 99.878% of the total voting weight. This overwhelming majority granted absolute control over the decision-making process. On June 6, the voting results were finalized, and the proposal passed. Consequently, the smart contract automatically executed the transfer of 4.4 trillion BONK tokens, valued at roughly $20 million, from the treasury directly to the attacker’s account.
The ease with which this transfer occurred highlights a critical missing defense: the absence of robust voting thresholds. In mature DAO governance systems, proposals involving the transfer of core treasury assets typically require significantly higher thresholds for both the number of unique voters and the approval rate. These safeguards are designed to prevent small groups or single entities from hijacking the treasury. BonkDAO’s reliance on a simple majority rule, without considering the concentration of voting power, left it exposed to attacks by a small group with sufficient capital to sway the outcome.
Furthermore, the lack of a timelock mechanism exacerbated the vulnerability. Standard security protocols usually mandate a timelock period of 3 to 7 days after a proposal passes, before execution can occur. This delay allows multisig administrators and the core team to review the proposal and exercise veto power if malicious intent is detected. It also provides an opportunity for urgent contract modification to halt the transfer. In this case, the absence of such a buffer meant that once the vote concluded, there was no window for intervention, allowing the malicious proposal to proceed unchecked.
Another critical failure was the lack of a delayed voting mechanism. Such mechanisms are designed to prevent manipulation via flash loans or last-minute capital injections, which can distort voting outcomes if executed immediately before the deadline. Without this protection, the attacker was able to execute the vote and trigger the immediate transfer of funds. Once the proposal passed, the attacker quickly moved the stolen assets, leaving the community with no recourse to recover the $20 million loss through on-chain means.
This incident serves as a stark warning to the Web3 industry regarding the distinction between code vulnerability and governance manipulation. The attacker did not exploit a bug in the smart contract but rather leveraged a lack of proper governance logic and rules. By investing $4.4 million to legally acquire $20 million, the attacker demonstrated that economic strategy can be as potent as technical hacking in decentralized systems. This marks a pivotal moment in understanding that security in Web3 extends beyond code audits to include rigorous economic and governance design.