440万撬走2000万:BONK遭遇了一次「合法明抢」
- Core Thesis: The Solana ecosystem Meme project BonkDAO suffered a malicious proposal attack due to a governance mechanism flaw. The attacker, without exploiting any technical vulnerabilities, gained voting control by purchasing a large number of tokens and legally transferred approximately 4.4 trillion BONK tokens (worth about $20 million) from the treasury.
- Key Elements:
- On June 30, the attacker submitted a malicious proposal named "BIP #76" on the Realms governance platform, disguised as governance reform, with the actual intent of transferring 4.4 trillion BONK (approximately $20 million) from the treasury.
- The attacker withdrew 882.285 billion BONK (worth $4.4 million) from an exchange, reaching the minimum voting threshold (1% of tokens), and thereby secured 99.878% of the voting weight, passing the proposal with an overwhelming majority.
- BonkDAO lacked critical defense mechanisms such as a quorum requirement, a timelock, and a delayed voting mechanism. This allowed the proposal to be executed immediately upon passing, with assets automatically transferred.
- The attack netted approximately $20 million at a cost of only $4.4 million, highlighting the risk of a "token-vote-only" governance model and the fragility of economic games in DAOs.
- BonkDAO officials have identified the attacker's address and are collaborating with exchanges, cross-chain bridges, and the Solana Foundation to address the situation, but the assets have already been moved.
Original Author: KarenZ, Foresight News
If someone told you they took nearly $20 million worth of tokens from a DAO treasury fair and square — without hacking anyone's computer, exploiting any code vulnerability, or even telling a single lie — you'd think they were bragging.
But in the world of Web3, this actually happened.
The leading meme project on the Solana ecosystem, BonkDAO, suffered a governance attack. The attacker didn't use any sophisticated hacking techniques but perfectly exploited the "rule by votes alone" survival principle in decentralized governance to siphon off nearly $20 million worth of BONK tokens.
In the early hours of July 7, 2026, Beijing time, the official BONK account disclosed on X that BonkDAO had encountered a malicious governance proposal, resulting in the transfer of approximately $20 million worth of BONK from the treasury. The official statement also indicated that exchange wallets buying BONK before the proposal had been identified, and they are coordinating with exchanges, cross-chain bridges, and the Solana Foundation to address the situation.
A Robbery Disguised as "Governance"
The governance page associated with this incident is a proposal submitted on Realms on June 30, titled BIP # 76 - Sowellian BonkDAO. The proposal claimed to implement a so-called "Sowellian" governance scheme, replace members and committees, rebuild the DAO, dispose of/liquidate holdings, stop the bleeding, and distribute tokens to all those who voted in favor.
If you strip away these fancy industry buzzwords and translate it into plain English, it essentially says: "I request that over 4.4 trillion BONK tokens (worth $20 million) in the treasury be transferred in full to my address."

What's more ironic is that the term "Sowellian" (Sowellian Game Theory) in the proposal's name is the name of the governance prediction market system for Solana's governance platform, Realms (the underlying system where BONK held this vote). Realms designed the Sowellian mechanism with a noble intention: to introduce economic games allowing participants to vote on proposals with real money, essentially "rewarding good decisions and punishing bad ones and malicious attacks."
Yet, the attacker, when submitting this malicious proposal that blatantly "robs" the treasury, chose to proactively name it "Sowellian BonkDAO." The attacker used the platform's proudest "game rules" to seize a DAO treasury's assets.
$4.4M Stake for $20M Prize: The Attacker's Math
After initiating the proposal on June 30, the "attacker" employed an extremely simple, brute-force, yet smart-contract-unblockable "money power" strategy:
1. **Quietly Accumulate**: According to statistics, in the past few days, the "attacker" withdrew enough BONK (882.285 billion tokens, worth $4.4 million) from Binance and Bybit to meet the minimum vote threshold (minimum 1% of tokens) and moved them on-chain.
2. **Vote**: This on-chain address cast a "yes" vote on the Realms governance system. However, due to the extremely low daily governance participation rate of BonkDAO at the time, only 7 addresses ultimately participated in the vote. Using 882.285 billion BONK, this address commanded a 99.878% voting weight, securing an overwhelming, absolute controlling stake.

On June 6, the voting result was announced: the proposal passed. The smart contract, following its programmed rules, automatically transferred 4.4 trillion BONK (approximately $20 million) from the treasury into the attacker's pocket.

Where Were DAO's Defense Mechanisms?
At this point, you might ask: Were there no limitations at all? Could he simply vote and take the money immediately?
This precisely highlights the fatal mistake made by BonkDAO. In more mature DAO governance, there are typically several lines of defense:
- Voting Quorum Threshold: Proposals involving the transfer of core treasury assets must significantly raise the requirements for participation and approval rates to prevent minority sneak attacks.
- Timelock: After a proposal passes, there should be a lock-up period of 3 to 7 days before execution. During this time, if the community identifies it as a malicious proposal, a multisig admin or core team has the opportunity to intervene using a veto power or by urgently modifying the contract.
- Delayed Voting Mechanism: Prevents someone from suddenly using flash loans or massive funds to manipulate the results right before the voting deadline.
Unfortunately, BonkDAO lacked sufficient defensive buffers and multisig intervention mechanisms, leading to the immediate execution of the malicious proposal upon passing. After succeeding, the attacker swiftly moved the funds.
Summary
Using a $4.4 million stake, in front of an unguarded ballot box, the attacker legally "voted" out a $20 million fortune.
The BONK governance attack serves as a stark wake-up call for the entire Web3 industry. This was not a smart contract code vulnerability, but a pure case of "governance manipulation and economic game theory," reflecting a fundamental lack of governance logic and rules.


