Biteye|Jul 07, 2026 10:37
Is Web3 DAO a pseudo proposition? Deeply dissecting why Bonk was attacked by governance
What? Can an attacker leverage $20 million of DAO treasury with $4 million?
Early this morning, BONK DAO suffered a governance attack. Attackers exploit design flaws such as BONK's low governance threshold, simple majority voting mechanism, and lack of Timelock delay execution to attempt to transfer treasury assets through malicious proposals.
So, how to design the governance process of a mature DAO? Why do protocols such as Aave, ENS, Lido reduce risks through multi-layer governance, while BONK is more vulnerable to governance attacks?
⬇️ This article will break down the DAO governance process into five stages:
Proposal → Community Discussion → Snapshot Temperature Test → On Chain Voting → Timelock Execution
one ️⃣ Proposal Stage
In the DAO ecosystem, the proposal phase is the starting point for all governance actions.
The core content of a formal proposal typically includes agreement parameter adjustments, new asset launches, Treasury fund allocation, contract upgrades, incentive plan modifications, and governance rule restructuring.
In order to balance governance efficiency and prevent junk proposals, major protocols have set different token holding or delegation thresholds for initiators:
Aave: The threshold is relatively high, requiring approximately 0.5% AAVE voting rights.
ENS: Implementation proposals require a commission of 100000 ENS, while social proposals require approximately 10000 ENS.
Lido: It needs to be discussed on the forum first and meet the threshold of at least 1000 LDO.
The BONK threshold is relatively low, only requiring 100M Bonk ($425.99), which is also the reason why Bonk is targeted by governance attacks.
two ️⃣ Governance Forum Stage
Community discussion is a pre screening stage before formal voting. Most mature DAOs require proposals to first enter the official governance forum and be completed through public discussions
Disclosure of proposals and collection of opinions: Let the community understand the content of the proposal in advance and raise questions.
Optimize proposal plan: Adjust parameters and execution details based on feedback to improve proposal quality.
Filter low-quality proposals: Avoid malicious or immature schemes from directly entering on chain voting.
But not all DAOs have this stage, taking BONK DAO as an example:
BONK does not have a formal Governance Forum process and mainly submits BIP proposals and votes directly through Solana Realms.
Mature DAOs typically form governance firewalls through multi-layer mechanisms such as Governance Forum, Snapshot, Timelock, etc., while Meme DAOs like BONK tend to vote directly to improve decision-making efficiency but also lower the threshold for attacks.
three ️⃣ Snapshot temperature test (Off chain Voting)
Before the official on chain voting, many DAOs will conduct off chain voting through snapshots as a community willingness test.
This stage is commonly referred to as: Temperature Check
The main functions are ⬇️
Reduce voting costs: Off chain voting does not require payment of gas, and community members can participate at low cost.
Advance consensus verification: Observe whether the proposal receives sufficient support to avoid immature solutions being directly executed on the chain.
Optimize proposal direction: Adjust the details of the plan based on the voting results and community feedback.
If the snapshot temperature test fails, it usually means that the community has not formed enough consensus, and the proposal will be terminated or returned for modification without entering the formal on chain voting stage.
And it is precisely because Bonk DAO did not design the important anti-theft insurance layer of snapshot that it was easily broken into by "thieves".
four ️⃣ Official On Chain Governance Voting
After community discussions and snapshot temperature testing (if adopted by the project), the proposal will enter the formal on chain governance phase.
This stage is executed by the on chain governance framework, for example:
Governor contract (common in the Ethereum ecosystem)
Aragon (DAO Management Framework)
Realms (Solana Governance Framework)
In order to ensure the seriousness and security of on chain voting, smart contracts will strictly verify the following two core indicators during settlement:
Minimum Participation Threshold: As a security red line for DAO governance, Quorum sets the minimum number of voting participants required for a proposal to have legal validity.
If the total number of tokens participating in the voting does not meet the standard, even if the number of affirmative votes reaches 100%, the proposal will be directly rejected.
For example, in a token model with a total of 100 million tokens, if Quorum is set to 5%, at least 5 million tokens are required to participate in voting. The Quorum settings of major mainstream DAOs vary:
Lido has set a high threshold of 5% total supply (approximately 50 million LDO)
Aave (about 2% total supply) is relatively conventional compared to ENS and BONK (1% total supply)
Optimism is more flexible, dynamically adjusting between 3% and 30% based on the type of proposal.
️ Voting conditions: After reaching the Quorum (minimum participation threshold), the proposal still needs to meet the corresponding approval ratio in order to be officially passed.
The daily governance of most DAOs adopts the Simple Majority system, which means that the affirmative vote (YES) is greater than the negative vote (NO)
However, for significant changes involving the core rules of the protocol, such as amending the ENS constitution, adjusting key governance parameters, or upgrading underlying protocols, DAOs typically adopt a Super Majority system.
Request a higher proportion of support votes, for example:
More than 2/3 (about 66.7%) agree;
Or a higher proportion of support.
This mechanism can prevent a few large coin holders from pushing for significant modifications to the entire agreement through a simple majority.
Another important reason for BONK being subjected to governance attacks is that its DAO governance parameters are relatively loose.
The minimum participation threshold only requires 1% of the total supply of BONK voting rights to enter valid voting. And the voting conditions adopt a simple majority system: YES>NO
This means that attackers do not need to obtain the vast majority of BONK, but only need to control about 1% of the supply and gain majority support for their proposals to drive governance execution.
five ️⃣ Timelock Delay Execution and On Chain Execution
Mature DAOs typically do not execute proposals immediately after a vote is passed, but instead add a Timelock mechanism:
Voting passed → Timelock waiting → On chain execution
The function of Timelock is to provide a buffer time for the community, allowing members to:
Check the proposal code;
Identify potential attack risks;
Organize opposition or initiate emergency measures.
The proposal will only be automatically executed by the governance framework after the waiting period has ended.
One important reason for Bonk's governance attack is the lack of a standard Timelock delay execution step in its governance process: vote passed → direct execution
In the BIP 76 governance attack, the attacker took advantage of the lack of delayed execution mechanism in the BONK governance process to quickly execute malicious operations after the proposal was approved.
In conclusion
The governance attack by BONK has uncovered a long-standing problem in DeFi: Is DAO really necessary if no one participates in governance?
Is DAO really necessary when community governance becomes a performance? In fact, the lack of participation in governance makes DAO architecture more like an inefficient burden rather than a guarantee of the protocol.
When the real governance power is only in the hands of a very small number of people, and the majority of users are just silent spectators, deliberately pursuing nominal decentralization not only increases decision-making costs, but also exposes huge security vulnerabilities to the protocol.
Perhaps we should acknowledge that not all projects require DAO. Just like in a mature business world, allowing core decision-makers to control the overall direction often leads to more efficient execution and stronger risk resistance. After the frenzy of decentralization, we need to return to the essence: the robustness of agreements often relies on clear accountability and dedicated execution teams, rather than hypocritical referendums.
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink