Author: Claude, Deep Tide TechFlow
Deep Tide Introduction: The BonkDAO treasury was "legally" emptied of approximately 20 million dollars worth of BONK tokens via a governance proposal. The attacker spent 4.4 million dollars to acquire just over 1% of the voting rights of BONK, submitted a proposal disguised as governance reform, waited 6 days with no attention, and then voted to approve it themselves, triggering the automatic execution of the smart contract transfer.
The entire process had no code vulnerabilities, no hacker intrusion, just a governance forum that hardly anyone watched and a proposal that was ignored for a full 6 days. The price of BONK subsequently dropped by about 8%.

A person spent 4.4 million dollars to move 20 million dollars worth of BONK tokens. No code was compromised; they used BonkDAO's own voting system.
On July 6, an attacker's malicious proposal submitted via the Solana chain governance platform Realms automatically executed, transferring approximately 4.426 trillion BONK tokens from the BonkDAO treasury to a wallet controlled by the attacker, equivalent to about 20 million dollars at the time.
BonkDAO subsequently confirmed on the X platform that it had encountered an attack via a "malicious governance proposal," stating that it had notified law enforcement, and was coordinating with exchanges, cross-chain bridges, and the Solana Foundation to track the funds.
This incident is glaring in its method: the attacker followed an "official procedure" throughout.
Exploiting governance rules, solely to transfer money to themselves
According to CoinDesk's report on July 7, the attacker's operational path was not complex.
On June 30, the attacker submitted proposal number BIP #76, titled "Sowellian BonkDAO," superficially packaged as a governance reform plan, mentioning "appointing new members and committees," "monetizing assets," "stem bleeding," and even promised that "all who vote in favor would be eligible for tokens." However, the core execution instruction of the proposal had only one line:
Transfer 4.426 trillion BONK to an address controlled by the attacker.
Prior to this, the attacker had accumulated just over 4.4 million dollars worth of BONK through exchanges like Bybit and Binance, managing to surpass BonkDAO's 1% voting threshold (quorum, meaning the minimum participation rate required for a proposal to be valid).

The proposal was up on the governance forum for 6 days. During this time, out of over 18,000 eligible voting members of BonkDAO, only 7 wallets participated in the voting, resulting in a voting rate of about 2.9%. The attacker used their own holdings to cast a vote in favor, making up 99.878% of the total votes. The number of votes in favor was 88.238 billion BONK, just surpassing the 87.995 billion threshold.
On July 6, the proposal automatically passed, and the smart contract executed as per the regulations, transferring the 20 million dollars.
When no one watches the governance forum, proposals become a cash withdrawal machine
Crypto KOL TheDeFinvestor believes this was not even a hacking attack. The reason for the proposal's approval is simple yet absurd: none of the BONK holders truly checked the details of the proposals on the governance forum.
This statement strikes at the foundational assumption of DAO governance.
The logic behind token-weighted voting presumes: holders will care about the project's future because they have economic interests tied to it. However, this assumption almost completely fails within meme coin projects.
The vast majority of BONK holders are speculative traders, buying for price fluctuations, with governance decisions having nothing to do with them. When the coin price fell 93% from its historical high of 0.000059 dollars in November 2024, its market cap shrinking from over 4 billion dollars to less than 400 million, even the enthusiasm of the speculators faded, let alone anyone browsing through the list of proposals in the governance forum.
When the market is cold, the forum is cold. When the forum is cold, a proposal hiding a transfer instruction can quietly hang for 6 days, awaiting automatic execution.
A study by the research institution Gauntlet in 2023 showed that over 60% of major DeFi protocols had a voting participation rate of less than 10%. BonkDAO's 2.9% voting rate is not even considered unusual in this context.
4.4 million for 20 million: the cost of the attack is far lower than the gain
If you were a bad person wanting to launch an attack, this calculation would be quite favorable.
The attacker spent about 4.4 million dollars to acquire voting rights and moved approximately 20 million dollars worth of treasury assets, achieving a return on investment ratio close to 1:5.
From a purely economic perspective, as long as the DAO treasury asset scale is larger than the cost needed to acquire the voting threshold, such attacks can be lucrative. BonkDAO's quorum is set at 1% of total supply, while the voting participation rate has long been below 3%. The attacker does not need to persuade anyone, just needs to appear when no one is paying attention, and then vote with money.
The blockchain security company PeckShield has detected that about 148,000 dollars of the stolen BONK has already flowed into the OKX exchange. The South Korean exchange Upbit has suspended BONK deposits and withdrawals. SlowMist co-founder Yu Xian confirmed the transfer records of approximately 4.426 trillion BONK on the X platform.
The price of BONK declined by about 8% to 10% after the news broke, currently reported around 0.000004 dollars.
The prospects of recovery are not optimistic; governance repair is the real issue
BonkDAO stated that it had identified the exchange wallets used by the attacker to purchase BONK and is working with on-chain analysis firms like Chainalysis to track the flow of funds. However, on-chain transfers executed via governance proposals are technically "legitimate transactions," unlike smart contract exploits, and cannot be reversed through on-chain rollbacks or hard forks. The hope of recovering funds mainly relies on exchanges freezing and law enforcement involvement, provided the attacker's true identity is successfully identified.
A greater risk is that the Solana Realms governance platform runs over 800 DAOs, managing a total of over 1.5 billion dollars in treasury assets. Any DAO with a treasury size larger than the cost of quorum acquisition, and a voting participation rate below 10%, faces the same risk exposure.
Ultimately, I find it most ironic that the full name of DAO is "Decentralized Autonomous Organization," where "autonomous" presupposes that someone is indeed governing.
When no one watches the governance forum, "decentralization" becomes "no one cares," and "autonomy" becomes "self-service withdrawal."
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。